Roland Dobbins wrote:
On 9 Nov 2014, at 10:37, Jon Lewis wrote:
I'm sure it's not always the case, but in my experience as a SP, the victim virtually always did something to instigate the attack, and is usually someone you don't want as a customer.
This may be a reflection of your experience and customer base, but it isn't a valid generalization. Legitimate customers are attacked all the time, for various reasons - including unknowingly having their servers compromised and used as C&Cs by miscreants, who're then attacked by other miscreants.
But to say that attacks are 'virtually always' provoked by customers themselves simply isn't true. DDoS extortion, ideologically-motivated DDoS attacks, maskirovkas intended as a distraction away from other activities, simple nihilism, et. al. are, unfortunately, quite common.
When I worked for a cloud hosting provider, the DDoS "victims" tended to be fraudulent signups who were doing malicious or anti-social things on the net and were not paying customers anyway.
Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true. Compromised machines are 'attractive nuisances', which is yet another reason it's important to have visibility into your network traffic (it's easy to get started with NetFlow and open-source tools).
Granted, a sample size of 1 - but the most recent event where we were the vector for a reflection attack, the target was a game hosting system. Based on some interaction with their sysadmin, it became pretty clear that this is fairly common for them, and the motivations had more to do with hacking gameplay than anything else. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra