Request for contact and procedure information
All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Charles, You're going to need an enterprise grade DDoS protection provider and should expect to spend anywhere from hundreds to thousands per month for this service. This is not a service the majority of transit providers are capable of offering. Best regards, Jeff On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyble<charles@thewybles.com> wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Turn off your DSL modem for awhile, and hope for a new dynamic IP? Mark On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyble<charles@thewybles.com> wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Turn off whatever you have listening on port 80. On Thu, 9 Jul 2009 21:25:48 -0400 Mark Price <mprice@tqhosting.com> wrote:
Turn off your DSL modem for awhile, and hope for a new dynamic IP?
Mark
On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyble<charles@thewybles.com> wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
I did. Still getting pounded. John Peach wrote:
Turn off whatever you have listening on port 80.
On Thu, 9 Jul 2009 21:25:48 -0400 Mark Price <mprice@tqhosting.com> wrote:
Turn off your DSL modem for awhile, and hope for a new dynamic IP?
Mark
On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyble<charles@thewybles.com> wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. - Dan Charles Wyble wrote:
I did. Still getting pounded.
John Peach wrote:
Turn off whatever you have listening on port 80.
Dude, he's on SBC man. They're not going to do anything but tell him to restart the modem. On Thu, Jul 9, 2009 at 9:42 PM, Dan White<dwhite@olp.net> wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
- Dan
Charles Wyble wrote:
I did. Still getting pounded.
John Peach wrote:
Turn off whatever you have listening on port 80.
Dan White wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's "business DSL" it's still treated the same as "drooling user DSL". Purely my personal experience. ~Seth
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's "business DSL" it's still treated the same as "drooling user DSL".
Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy. - Dan
I spoke with SBC. 2 hours on the phone (all with US based support which was awesome) came down to e-mail abuse@sbcglobal.net. I'll let everyone know how it goes.
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's "business DSL" it's still treated the same as "drooling user DSL".
Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy.
Can you read? Did I say that? ~Seth
Seth Mattinen wrote:
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's "business DSL" it's still treated the same as "drooling user DSL".
Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy.
Can you read? Did I say that?
~Seth
Seth, This was obviously not a response to you, but to the original poster. - Dan
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's "business DSL" it's still treated the same as "drooling user DSL".
Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy.
Can you read? Did I say that?
~Seth
Seth,
This was obviously not a response to you, but to the original poster.
Sorry, I read that as a response to my message. ~Seth
Good, Fast, Cheap, pick any two. Consumer grade AT&T DSL is fast and cheap, and now you realize why Good is not included when you go with Fast and Cheap. jc Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC: 1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. "I don't know" is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard). 2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic. Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.? You may want to do some packet capture for hand-over to law enforcement. I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit. Don't expect miracles. But it is better than nothing. Finally, document, document, document!!! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpWuusACgkQUVxQRc85QlNN1gCeJzqVXPfYpeOxcFJxDaTbU1q4 8IoAn1E5QjOZB1usTJO39qp2EIkJpdqW =VM8D -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Kibler wrote:
Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC:
1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. "I don't know" is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard).
2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic.
Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.?
You may want to do some packet capture for hand-over to law enforcement.
I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit.
Don't expect miracles. But it is better than nothing.
Finally, document, document, document!!!
Jon
I hate to reply to my own email... but as soon as I hit "SEND", I realized I left off something important... You said you have Business Class DSL. Is this for a business? If so, have your lawyer contact SBC. S/he should request to talk with the department manager for small business services. That, too, may help get action. Be sure to provide him/her with written documentation on everything you can regarding the attack. The more information that s/he has, the better to beat up on SBC with. Finally, what does your TOS/SLA say about DDoS? Most have something to say about ISP liability in the mitigation of such attacks. GOOD LUCK! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx =UTXU -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
All, There are few if any ISP that will help you with something like this. Law enforcement also does not have the resources to even begin to look at a single DSL line being attacked unless you can show 7+ figures in damage or some type of major threat to national infrastructure. Your options are basically as follows: 1) Use csf . If properly tuned this should be sufficient to filter minor attacks. 2) Invest in a decent firewall like a Juniper Netscreen and set session limits. This won't stop an attack but it will limit the amount of traffic you have to filter locally. 3) Ask SBC to null route the IP completely 4) Invest in an actual protection service. Jeff On Fri, Jul 10, 2009 at 12:02 AM, Jon Kibler<Jon.Kibler@aset.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Kibler wrote:
Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC:
  1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. "I don't know" is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard).
  2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic.
Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.?
You may want to do some packet capture for hand-over to law enforcement.
I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit.
Don't expect miracles. But it is better than nothing.
Finally, document, document, document!!!
Jon
I hate to reply to my own email... but as soon as I hit "SEND", I realized I left off something important...
You said you have Business Class DSL. Is this for a business? If so, have your lawyer contact SBC. S/he should request to talk with the department manager for small business services. That, too, may help get action. Be sure to provide him/her with written documentation on everything you can regarding the attack. The more information that s/he has, the better to beat up on SBC with.
Finally, what does your TOS/SLA say about DDoS? Most have something to say about ISP liability in the mitigation of such attacks.
GOOD LUCK!
Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC Â USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx =UTXU -----END PGP SIGNATURE-----
================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Jeffrey Lyon wrote:
All,
There are few if any ISP that will help you with something like this. Law enforcement also does not have the resources to even begin to look at a single DSL line being attacked unless you can show 7+ figures in damage or some type of major threat to national infrastructure.
Your options are basically as follows:
1) Use csf . If properly tuned this should be sufficient to filter minor attacks. 2) Invest in a decent firewall like a Juniper Netscreen and set session limits. This won't stop an attack but it will limit the amount of traffic you have to filter locally. 3) Ask SBC to null route the IP completely 4) Invest in an actual protection service.
Last time I had to deal with a DDoS coming over a Sprint circuit (multilink T1) they transferred me to someone in security and they started null routing things. Initially they were treating it as trouble because the BGP session kept resetting, but once we all figured out it was a DDoS the resolution was quick and painless. Maybe my experience is abnormal? I don't know. ~Seth
Would what? Null route the IP? I'm talking about actually filtering the attack. Jeff On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a... <cough>uunet/vzb would/will</cough> (for free most times even)
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough> -------------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -------------------------------------- -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyen<luan@netcraftsmen.net> wrote:
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough>
as in: "find some way to keep the customer alive and kicking" which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did) all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company. point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there) -chris ----------------------------------
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure. Jeff On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyen<luan@netcraftsmen.net> wrote:
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough>
as in: "find some way to keep the customer alive and kicking"
which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did)
all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company.
point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there)
-chris
----------------------------------
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
On Fri, Jul 10, 2009 at 6:38 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure.
I was actually being serious, it's not, it doesn't have to, and in the case that started this discussion it probably would have been sufficient to just drop tcp/80 to his link since I would be it's 'business dsl' so he gets an 'SLA' not so he can run a business critical web service there. There are services you can buy that are a lot more expensive, but why would you? if there are options that are more relevant and cheaper... and in line with what you want. You can certainly pay more if you want to, I'm not sure that's the smart choice though. -Chris
On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyen<luan@netcraftsmen.net> wrote:
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough>
as in: "find some way to keep the customer alive and kicking"
which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did)
all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company.
point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there)
-chris
----------------------------------
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc.
Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
I don't know of any internet access services that provide a SLA against DDoS. Jeff On Fri, Jul 10, 2009 at 10:57 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 6:38 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure.
I was actually being serious, it's not, it doesn't have to, and in the case that started this discussion it probably would have been sufficient to just drop tcp/80 to his link since I would be it's 'business dsl' so he gets an 'SLA' not so he can run a business critical web service there.
There are services you can buy that are a lot more expensive, but why would you? if there are options that are more relevant and cheaper... and in line with what you want. You can certainly pay more if you want to, I'm not sure that's the smart choice though.
-Chris
On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyen<luan@netcraftsmen.net> wrote:
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough>
as in: "find some way to keep the customer alive and kicking"
which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did)
all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company.
point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there)
-chris
----------------------------------
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc.
Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
On Fri, Jul 10, 2009 at 11:06 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
I don't know of any internet access services that provide a SLA against DDoS.
vzb/mci/uunet used to, there is (I believe) still a 'response' SLA, and there was an SLA for their dos-mitigation service as well...likely somewhere off: http://www.verizonbusiness.com/us/products/security/managed/#services-dos I was actually talking about an SLA for his link though, not for dos-mitigation services. There used to be, and still is in some networks, the thought that consumer grade services were essentially 'un-SLA''d, while 'business class' services had some form of 'uptime' SLA associated with them. So, folks that telework often subscribe to 'business dsl' in order to get more guaranteed availabilty, lack of port filtering, static-ips, etc. -Chris
Jeff
On Fri, Jul 10, 2009 at 10:57 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 6:38 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure.
I was actually being serious, it's not, it doesn't have to, and in the case that started this discussion it probably would have been sufficient to just drop tcp/80 to his link since I would be it's 'business dsl' so he gets an 'SLA' not so he can run a business critical web service there.
There are services you can buy that are a lot more expensive, but why would you? if there are options that are more relevant and cheaper... and in line with what you want. You can certainly pay more if you want to, I'm not sure that's the smart choice though.
-Chris
On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrow<morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyen<luan@netcraftsmen.net> wrote:
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is <cough>free through vzb?</cough>
as in: "find some way to keep the customer alive and kicking"
which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did)
all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company.
point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there)
-chris
----------------------------------
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote:
Would what? Null route the IP? I'm talking about actually filtering the attack.
as was I. (talking about filtering the attack)
On Jul 10, 2009 5:10 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyon<jeffrey.lyon@blacklotus.net> wrote: > All, > > There a...
<cough>uunet/vzb would/will</cough>
(for free most times even)
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc.
Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc.
Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Charles; SBC belongs to AT&T which has a ddos mitigation offering http://www.business.att.com/content/productbrochures/PB-DDoS_16651_v1_6-27-0... Verizon also has such an offering under Managed Services Security Solutions Powered by Cybertrust a company they bought http://www.verizonbusiness.com/us/products/security/managed/#services-dos ________________________________ From: Charles Wyble <charles@thewybles.com> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Thursday, July 9, 2009 2:35:14 PM Subject: Request for contact and procedure information All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
participants (13)
-
Adrian Chadd
-
Charles Wyble
-
Christopher Morrow
-
Dan White
-
Henry Linneweh
-
JC Dill
-
Jeffrey Lyon
-
John Peach
-
Jon Kibler
-
Luan Nguyen
-
Mark Price
-
Seth Mattinen
-
William McCall