99% of the attacks we see are gaming related -- somehow the other players know the IP and then attack our customer for an advantage in the game, or retribution. Most DHCP servers (correctly) give the same IP address if the CPE is rebooted. Ours are one of those. =) Frank -----Original Message----- From: Mehmet Akcin [mailto:mehmet@akcin.net] Sent: Saturday, September 19, 2015 3:10 PM To: Frank Bulk <frnkblk@iname.com> Cc: nanog@nanog.org Subject: Re: DDoS auto-mitigation best practices (for eyeball networks) How does he/she become target? How does IP address gets exposed? I guess simplest way is to reboot modem and hope to get new ip (or call n request) Mehmet
On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk@iname.com> wrote:
Could the community share some DDoS auto-mitigation best practices for eyeball networks, where the target is a residential broadband subscriber? I'm not asking so much about the customer communication as much as configuration of any thresholds or settings, such as: - minimum traffic volume before responding (for volumetric attacks) - minimum time to wait before responding - filter percentage: 100% of the traffic toward target (or if volumetric, just a certain percentage)? - time before mitigation is automatically removed - and if the attack should recur shortly thereafter, time to respond and remove again - use of an upstream provider(s) mitigation services versus one's own mitigation tools - network placement of mitigation (presumably upstream as possible) - and anything else
I ask about best practice for broadband subscribers on eyeball networks because it's different environment than data center and hosting environments or when one's network is being used to DDoS a target.
Regards,
Frank