On Thu, Nov 13, 2003 at 04:38:06PM -0800, Tom (UnitedLayer) wrote:
On Thu, 13 Nov 2003, Deepak Jain wrote:
Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent between providers to affect month-over-month or quarterly ratios?
I know a webhoster/provider who consistently takes in 1Mpps DOS attacks, and I'm presuming that the 95th percentile on that will be fairly high...
Would I want that? Not especially...
Having had a few large DoS-magnet customers behind me (and more than likely being the provider you're talking about :P), I can safely say that they do absolutely nothing to benefit ratios. The traffic is too short and bursty to be of any benefit, even when you can successfully filter it so that no other operations are impacted. I also stand by my opinion that DoS does not happen without a reason. Yes there may be that 1% who gets attacked because they are Yahoo or eBay and are public targets, but it takes a really really special kind of DoS magnet to consistantly receive enough traffic to affect 95th percentile. Those kinds of targets are generally not only engaged in some activity which invites attack (such as running an IRC server), they are actively encouraging it by their behavior, and probably should be booted anyways for other reasons that you just don't know about yet. The only benefit to having a hefty outbound ratio is that you have plenty of headroom to work with when attacks do come in. Unless you happen to notice that a large amount of the traffic is coming from certain Asian Pacific networks, and intentionally peer with them to setup choke points. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)