Jorge Amodio <jmamodio@gmail.com> writes:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
From what I understand, it's quite common. I got hammered last week. It took out some routers at my upstream (it was a tcp syn flood attack, a whole lot of really small packets. 20Kpps was the peak I saw before the upstream took me out.)
Now, I've cleaned up the mess; (and for now, dropped the inexpensive upstream with the weak routers) I'm building out my monitoring infrastructure and generally preparing for next time. as far as stopping the attacks by 'finishing the job' - which is to say, blackholing the target, the way forward is pretty clear. I mean, I need to do more research and implement stuff, but I don't really need NANOG help for that. The thing is, I like my customers. I don't want to shut off people who are paying me just because they get attacked. I mean, if that's what I've got to do to keep my other paying customers up, I'll do it, but I'd really rather not. what is the 'best practice' here? I mean, most of this is scripted, so conceivably, I could get source addresses fast enough to block them upstream. (right now my provider is only allowing me to blackhole my own space, not blackhole source addresses, which while it keeps me in business, is not really what I want.) My provider does seem to be pretty responsive, so if I can bring them a tool, they might set it up for me. But yeah, I'm getting sidetracked. I guess there are two things I want to know: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? I've got 50 gigs of packet captures, and have been going through with perl to detect IPs who send me lots of tcp packets with 0 payloads, then manually sending abuse reports. Half the abuse reports bounce, and the other half are ignored. (most of the hosts in question are in china.) 2. is there a standard way to push a null-route on the attackers source IP upstream? I know the problem is difficult due to trust issues, but if I could null route the source, it's just a matter of detecting abusive traffic, and with this attack, that part was pretty easy. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.