Hannigan, Martin wrote:
Well, this is no longer about tracing DDoS I suppose..
Good advice when DDOS' are constant. If this was a first and possibly last for awhile, it may make sense to rely on the software tools and a good 'SOP' with the provider instead. It really depends on the scope of the problem in particular.
DDOS' is rather infrequent to zero for most enterprises. That DDOS golden banana is rather yummy with sprinkles on top. Don't get me wrong, the DDOS problem is real, but not for everyone, and not as frequently as it's being hyped up to be. A managed service is a better way to go if they're worried, IMO.
Two things, planning for disaster and mitigation on-going DDoS attacks. Planning... Sound advice, but I'd phrase it a little differently. All depending on how big they are, how much they have to invest, how worried they are and how much they stand to lose by such an attack, short or prolonged (which after their last experience they should be able to answer), they are more than capable to decide how much they want to invest. If they are generally concerned but not truly able to pay so much for an.. infrequent serious risk, they can indeed get better (more organized) relations with their uplink, as well as perhaps check if their uplink can use their own.. say Cisco Guard for them or whatever other mitigation service they can offer. That or get a better uplink. They could combine tactics, such as for example get the Guard but direct it using netflow data rather than the Detector. It all depends on how much they are willing to invest - but knowing what they need is entirely up to them and after such an attack I bet they have a fairly good idea. Mitigating... As to the infrequency of the attacks, it really depends on who you ask. We (at Tehila) get attacked quite often, and we see others get attacked quite often. Others yet, get attacked on such a scale once a year or so. How much do you stand to lose from just ONE devastating attack? Underplaying DDoS though is something I do not agree with you on, though. The scale of the problem is much bigger than most believe. Unrelated to my own experience and that of my employer, at the drone armies research and mitigation mailing list we have been able to actively mitigate DDoS attacks in real time, what we need is a log of the attacking IP's with timestamps and we do our best to help. In our last success we mitigated a 400 mega packets attack into just about 20, crippling the ability of the attacker to strike for a few weeks. After his second attempt he never went back to that target again (so far, anyway). Gadi.