Is anyone maintaining a list of good, bad and ugly providers in terms of how seriously they take things they should like BCP38 and community support and whatever else that's quantifiable? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Patrick W. Gilmore" <patrick@ianai.net> To: "NANOG list" <nanog@nanog.org> Sent: Sunday, January 11, 2015 7:50:22 AM Subject: Re: DDOS solution recommendation I agree with lots said here. But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS. No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks. There is no silver bullet. Security is a series of steps ("layers" as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source. Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will. -- TTFN, patrick
On Jan 11, 2015, at 08:46 , Mike Hammett <nanog@ics-il.net> wrote:
Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited view of the Internet. They may not care of it's a server in a datacenter being used to attack, but an infested home PC would care once they can't get to Google, FaceBook, Instagram, whatever.
If the attacker's abuse contact doesn't care, then just brute force of more and more of the Internet being offline to them, they'll figure it out.
You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
No point in letting troublemakers (manual or scripted) spend more time on the network than necessary. The more people (as a collective or not) that do this, the better.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
----- Original Message -----
From: "Roland Dobbins" <rdobbins@arbor.net> To: nanog@nanog.org Sent: Sunday, January 11, 2015 7:24:55 AM Subject: Re: DDOS solution recommendation
On 11 Jan 2015, at 20:07, Mike Hammett wrote:
but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified.
Just because we think something, that doesn't make it true.
;>
The way to stop this stuff is for those millions of end users to clean up their infected PCs.
You may want to do some reading on this topic in order to gain a better understanding of the issues involved:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
Some of us have been dealing with DDoS attacks for a couple of decades, now. If it were a simple problem, we would've solved it long ago.
Here's a hint: scale alone makes any problem literally orders of magnitude more difficult than any given instance thereof.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>