On 12/8/2010 9:52 AM, Dobbins, Roland wrote:
On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams.
This is demonstrably incorrect.
+1 For IPs that don't matter, automated /32 blackholes are usually supported by most providers. For critical infrastructure, I've not had a problem with the security/abuse/noc departments working with me to resolve the issue. The first step to DOS mitigation is being able to shut down the attack vector. If they hit an IP, shut it down, let the 50 other distributed systems take care of it. It's all a matter of perspective, and it has to be handled on a case by case basis. I had a dialup modem bank IP get DOS's due to a customer off it. Well, the modem bank itself doesn't need to talk to the outside world (outside of traceroutes), so a quick blackhole of it stopped the DDOS (which was a small 300mb/s). I've talked with several providers who will gladly redirect a subset of IP's through their high end filters, so in event of DOS, I can drop that /24 down to 1 transit peer, have them redirect it through their filter servers, and get clean traffic back to my network. Jack