hi ya roland On 12/04/15 at 11:09am, Roland Dobbins wrote:
On 4 Dec 2015, at 9:34, alvin nanog wrote:
all that tcpdump jibberish
Is entirely unnecessary, as well as being completely impractical on a network of any size.
up to a point, probing around at the packet level is un-necessary depending on what one is looking for as the end result
Reasonable network access policies for the entities under attack plus flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good start, along with this:
flows may address some of the DDoS issues but might not cover all the various DDoS attacks and mitigation options and still stay within the victims possibly non-existent DDoS mitigation budgets
This business of attempting to use packet captures for everything is the equivalent of your doctor attempting to diagnose the reason you're running a fever by using an electron microscope.
sometimes, one does need to be able to crawl, before walking, before running track vs running marathons or find someone that can run for you in the case of ddos mitigation, no one solution can mitigate against all the possible various attacks... mitigation is a multi-layered solutions - who-what-when-where-how-why-etc: - one does need to know what servers, ports and hw is being attacked it makes DDoS mitigation a lot easier if you know what is under attack and orders of magnitude less expensive to mitigate - one does need to know who is attacking if one cannot defend against low level script kiddie ddos attacks, it's unlikely one will survive a ddos attacks from a more skilled attacker determined to take out a server or break in etc if you can and have defended against all the basic script kiddie ddos attacks, then it might make it easier to find the next set of the various ddos mitigation options you need to take - one does need to know how often, what time, they are attacking if they are attacking after hours, some folks might not care compared to they attacking during regular business hours - one does need to know how much traffic the attacks are costing you in terms of time and loss of productivity due to wasted bandwidth even at 10% of your bandwidth used up by useless DDoS traffic is still noticibly annoying if you were to looking to increase network performance - nobody can really say why they are attacking, other than are you a low level fruit for easy picking or a target'd victim for many reasons ( paid ransom before, high profile servers, a bank, govt servers, etc ) .. pay once and all the other DDoS ransom attackers will come knocking to collect their share
Start with the BCPs, then move to the macroanalytical. Only dip into the microanalytical when required, and even then, do so very selectively.
yup... selective and escalate the migitation process and procedure magix pixie dust alvin