On 9 Nov 2014, at 10:37, Jon Lewis wrote:
I'm sure it's not always the case, but in my experience as a SP, the victim virtually always did something to instigate the attack, and is usually someone you don't want as a customer.
This may be a reflection of your experience and customer base, but it isn't a valid generalization. Legitimate customers are attacked all the time, for various reasons - including unknowingly having their servers compromised and used as C&Cs by miscreants, who're then attacked by other miscreants. But to say that attacks are 'virtually always' provoked by customers themselves simply isn't true. DDoS extortion, ideologically-motivated DDoS attacks, maskirovkas intended as a distraction away from other activities, simple nihilism, et. al. are, unfortunately, quite common.
When I worked for a cloud hosting provider, the DDoS "victims" tended to be fraudulent signups who were doing malicious or anti-social things on the net and were not paying customers anyway.
Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true. Compromised machines are 'attractive nuisances', which is yet another reason it's important to have visibility into your network traffic (it's easy to get started with NetFlow and open-source tools). ----------------------------------- Roland Dobbins <rdobbins@arbor.net>