On 09/19/15 at 02:54pm, Frank Bulk wrote:
Could the community share some DDoS auto-mitigation best practices for eyeball networks, where the target is a residential broadband subscriber?
o kie dough kie
I'm not asking so much about the customer communication as much as configuration of any thresholds or settings, such as: - minimum traffic volume before responding (for volumetric attacks)
i prefer zero tolerance ... i tarpit all incoming tco-based attacks and probes that was not allowed incoming tcp traffic to port 25 or port 80 or port blah example iptables rules ... linux and iptables + tarpits is free # IPtables-BlackList.net/Howto - ingress filters - allow established - check for blacklist - limit udp and icmp reply ( tough problem to solve ) - allow to port 80 ( keep webserver separate from dns, smtp, etc ) - tarpit all new tcp incoming connections - drop all other new incoming connections - there is no need log millions of ddos attack pacekets per second unless you want to fill up your disk which helps the ddos attacks to be a successful attack - for icmp and udp ... you will need your ISP to help block it limiting incoming icmp/udp is sorta pointless since those packets already come down the wire however, you still do NOT want to respond to those packets either so you will have to limit to just a handful per second, little more per hour, and higher limit per day for icmp ... turn off broadcast ping responses on all devices for udp ... make sure the apps are properly configured dns, snmp, ntp, nfs, x11, etc uses udp your dns servers might need to be accessible from outside all other udp-based servers should be internal only - to protect against arp-based attacks .... build/patch/configure your hardware/routers/switches properly - install monitoring tools to watch for whatever you're paranoid about - man-in-the-middle .. trivial to detect and prevent - sniffers ( hard to detect )
- minimum time to wait before responding
zero wait ...
- filter percentage: 100% of the traffic toward target (or if volumetric, just a certain percentage)?
you will always, 100% fail volumetric attacks
- time before mitigation is automatically removed
you can have iptables remove a particular ddos attacker automatically or manually i prefer manually so i can see what it's doing
- and if the attack should recur shortly thereafter, time to respond and remove again
zero wait time .. zero tolerance per example iptables rules above
- use of an upstream provider(s) mitigation services versus one's own mitigation tools
i haven't found too many ISP willing to allow customers to put a customer firewall in their facility just before it comes down to the wire to customers bldg this is required if customers want to properly mitigate icmp-based and udp-based ddos attacks
- network placement of mitigation (presumably upstream as possible) - and anything else
mitigation solutions should be a gateway firewall and host-based mitigation if you can install another firewall at the ISP, thats good too and you still need a gateway firewall and the host based firewall
I ask about best practice for broadband subscribers on eyeball networks because it's different environment than data center and hosting environments or when one's network is being used to DDoS a target.
add corp environment, hospitality environment, govt environment, etc etc to the list too - free wifi, hotel based wifi or hardwire is probably the easiest way to send the unsuspecting victim home with a trojan that will phone home ( the attacker ) when the victim plugs the cracked box into the secure corp network nah.... ddos attacks are ddos attacks ... usually harmless ... it probably doesn't matter to the attackers what they're attacking you are constantly under 24x7x365 low level ddos attacks if you are being targeted by somebody that wants to get you, you'd have a problem if they're better at attacking than you are at defending your servers ... they're done if they have a bigger budget to pay for all the necessary bandwidth needed to take your servers offline - if you know who they are, call the ISP and the cops ----- other "basic best practices" - have a good security policy ... even if just for yourself hide the laptop in your trunk using a brown bag and NOT an obvious laptop bag - always use encrypted services... never clear text - use ssh, openssl, smtps, pop3s, imap3s - dozens of other best practices security rules - always have a incremental daily backup that is kept for months - always have a hot swap backup just in case .... etc .. etc ... ---- you should also keep track of who is attacking your servers so that law enforcement can followup if needed you should also know which src address might be spoofed and which ddos attackers are using their real src ip tracing the originating source of spoofed address requires the help of the various upstream ISP magic pixie dust alvin # # DDoS-Mitigator.com # IPtables-BlackList.net/Howto #