The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network. It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..) What valid application actually uses UDP 80? You could literally wipe out a large amount of these attacks by simply filtering this. -Drew -----Original Message----- From: Arturo Servin [mailto:arturo.servin@gmail.com] Sent: Wednesday, December 08, 2010 10:48 AM To: Jeffrey Lyon Cc: nanog@nanog.org Subject: Re: Over a decade of DDOS--any progress yet? And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP. But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:
We have seen a recent trend of attackers "legitimately" purchasing servers to use for attacks. They'll setup a front company, attempt to make the traffic look legitimate, and then launch attacks from their "legitimate" botnet.
Jeff
On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 12:53:51 +0000 From: "Dobbins, Roland" <rdobbins@arbor.net> Subject: Re: Over a decade of DDOS--any progress yet? To: North American Operators' Group <nanog@nanog.org> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net> Content-Type: text/plain; charset="us-ascii"
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists.
If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete.
Regards, -as
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions