Solutions for DoS & DDoS
Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
Is the cause of this non-profit a controversial one with a good likelihood of attracting the attention of demographics with the ability to mount DDoS attacks? If your upstream can do it for a good price (on account of being a non-profit organization) and they have lots of bandwidth along with a decent stack of mitigation gear, and some clue on how to operate them, then that should be the first choice. But DDoS mitigation is not their core business, so be prepared for them to blackhole your IP if things get difficult. Make sure your SLA is as bulletproof as possible or at least understand how bad things can get before they bail out on you. If the asset you want to protect is on standard web ports (ie 80 and 443) and is a likely DDoS target (per my first question), then one of the affordable DDoS-Mitigation-as-a-Service (DMaaS) providers would be a better fit for the task. Your upstream will appreciate not becoming collateral victim of the attack traffic. My good friend (who was also a co-founder of Peer1) founded dosarrest.com. They seem to be quite successful and have protected some high profile customers, so feel free to give them a call. If the non-profit is in the high risk of attack profile (ie any cause that is likely to offend techno-savvy bullies or religious fanatics), then you should talk to Prolexic/Verisign/Neustar/NexusGuard. If you are in the high risk category and you cause is that of free-speech, maybe the good folks at virtualroad.org (with help from Prolexic) can help. Regards, Joe -----Original Message----- From: Mike Gatti [mailto:ekim.ittag@gmail.com] Sent: Thursday, December 06, 2012 5:51 PM To: NANOG list Subject: Solutions for DoS & DDoS Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
By coincidence we have just published the video archive of our "Mitigating DDoS Attacks: Best Practices for an Evolving Threat Landscape" event last Wednesday. It's at http://youtu.be/FR0660X9lGc We'll have a full transcript up early next week. j On Thu, Dec 6, 2012 at 12:51 PM, Mike Gatti <ekim.ittag@gmail.com> wrote:
Hello Everyone,
I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source.
I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions.
Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
I can think of few options here (basically restating what has been said already) : - Black hole routing on ISP side - just makes the client unreachable outside ISP , available everywhere, free. Not really a protection as aids the attacker in achieving his goal - shutting down the client - Managed DDOS As a Service on ISP side - ISP has a dedicated solution to stop attacks on ISP premises (by dedicated I mean some hardware installed) . Vendors vary (Arbor/Radware/etc..) and actually are not of much importance to the end client - only SLA should be in place. Costs money, advisable when undergoing non-stop/frequent attacks of moderate severity. If an attack reaches gigabits bandwidth consumption the ISP may revert back to Black Hole to protect its backbone and other clients. - If speaking of web/email services - hosted solution is viable to some degree (e..g Amazon AWS Cloudfront, Google Apps, CDNs etc) . IT is not a DEDICATED hosted solution against DDOS, so be prepared for the provider to shut down the client if the attack gets heavy enough - Hosted web/email solutions WITH dedicated DDOS protection included, including insurance that client will not be shut down on heavy load attack (Prolexic etc) . Costs money (not cheap at all) and if your site is not to be attacked like krebsonsecurity.com or fbi.gov probably an overkill. HTH
--
Taking challenges one by one. http://yurisk.info
On Fri, Dec 7, 2012 at 1:30 AM, Yuri Slobodyanyuk <yuri@yurisk.info> wrote:
- If speaking of web/email services - hosted solution is viable to some degree (e..g Amazon AWS Cloudfront, Google Apps, CDNs etc) . IT is not a DEDICATED hosted solution against DDOS, so be prepared for the provider to shut down the client if the attack gets heavy enough
While Google's business isn't DDoS mitigation, we do see plenty of attacks on user content we host (Google Hosted Services backed by Blogger, App Engine, or other properties) and it's generally not a problem (thinking back over the past few years I can't remember ever terminating a victim). Happy to host more victims, as the attacks provide good (if unplanned) load tests. ;) Send me an email if you want to discuss special needs, and I'll let you know how we might be able to help. Damian
Try the DDoS attacks detection and mitigation software named WANGUARD from http://www.andrisoft.com. It's not expensive and non-profit organisations like you are granted with a 30% discount. Install it on a Linux server and you'll have DDoS attacks detection in no time. Since you're not a carrier the DDoS scrubbing feature won't be useful to you, but the black hole routing probably will. You can also configure it to send alerts to your upstream carrier or to your attackers' ISPs. On Thu, Dec 6, 2012 at 7:51 PM, Mike Gatti <ekim.ittag@gmail.com> wrote:
Hello Everyone,
I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source.
I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions.
Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
Sounds like an advertisement to me Thanks, Ameen Pishdadi On Dec 10, 2012, at 7:22 AM, Vasile Borcan <naitluzar@gmail.com> wrote:
Try the DDoS attacks detection and mitigation software named WANGUARD from http://www.andrisoft.com. It's not expensive and non-profit organisations like you are granted with a 30% discount. Install it on a Linux server and you'll have DDoS attacks detection in no time. Since you're not a carrier the DDoS scrubbing feature won't be useful to you, but the black hole routing probably will. You can also configure it to send alerts to your upstream carrier or to your attackers' ISPs.
On Thu, Dec 6, 2012 at 7:51 PM, Mike Gatti <ekim.ittag@gmail.com> wrote:
Hello Everyone,
I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source.
I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions.
Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
On Mon, Dec 10, 2012 at 9:33 AM, Ameen Pishdadi <apishdadi@gmail.com> wrote:
Sounds like an advertisement to me
In the end there are few actual options (in general): 1) do it yourself 2) have your carrier do it for you 3) have a third party do it for you There are cost and capability considerations with all of these, basically: 1: - you'll need more pipe - absorb all that can arrive, can you handle an extra 100gbps of traffic? (or less, you could reasonably build out for X gbps and just die under Y if the cost is unacceptably large to absorb Y) - more people-smarts - understand what is/isn't an attack, understand peering, transit, costs, complexities, mitigation techniques and costs involved. - more equipment - mitigation gear (cisco guard, arbor tms, radware...etc) 2: - monthly (most times) cost for 'insurance', imagine paying an uplift on your current bandwidth costs, for mitigation services, pre-prepared, so all you need to is 'initiate mitigation' inside the carrier's network. - people-cost in training to 'make the mitigation happen' (done right at the carrier this is nothing more than a bgp update from you...) 3: - monthly (or one-time) cost, you may be able to initiate it one-time and walk away, with the attendant costs in management of adhoc contracts/etc. - routing changes (do you control at least the /24 around the resource you need to mitigate?) - tunneling complexity to return to you the 'clean' traffic - dns shennigans for those ddos-mitigation folks who don't do routing change, or prefer DNS ones. pick what works for you... or your charity org. -chris
participants (8)
-
Ameen Pishdadi -
Christopher Morrow -
Damian Menscher -
Joly MacFie -
Joseph Chin -
Mike Gatti -
Vasile Borcan -
Yuri Slobodyanyuk