Comments on: DDOS – A Problem Bigger Than You Can Ever Be

By: Dan

Dan — Wed, 29 Jun 2011 16:56:00 +0000

Putting a DDoS Mitigating device near the client (i.e. Firewall, IPS) or at ISP doesn’t solve the problem. If the former is use, the client bandwidth subscription from its ISP may be overwhelmed. If the latter is use, the ISP main pipe may be overwhlemed. Of course they stopped some of the attack depends on its size and what they have in place to protect from it. But as what this article trying to say that survivability from a very large attack is slim no matter what protection we put within our reach.

Another problem is the way ISP sells the DDoS Mitigating service. Only those who subscribed are “protected”. Those who subscribed either does’nt know or refuse to accept that the Internet is a shared network, attack to those who did not subscribed to DDoS Mitigation service will affect them indirectly. Its business anyway.

Cooperation between ISP is another problem.

Thinking beyond what technology can provide now, I think if we position DDoS Mitigating device at Carriers (and very large ISPs) and perform auto-DDoS Mitigation there – no subscription needed, this will clean up internet or at least bring down the attack.

By: Show 6 – Chewing on DDOS ó Packet Pushers

Show 6 – Chewing on DDOS ó Packet Pushers — Tue, 13 Jul 2010 19:08:51 +0000

[...] EtherealMind – how much bandwidth for DDOS is enough [...]

By: Show 6 ñ Chewing on DDOS – Gestalt IT

Show 6 ñ Chewing on DDOS – Gestalt IT — Sat, 05 Jun 2010 18:31:25 +0000

[...] EtherealMind ñ how much bandwidth for DDOS is enough [...]

By: Mike Moore

Mike Moore — Sun, 16 May 2010 21:23:50 +0000

There aren’t only expensive DDoS appliances out there. We’re using a cheap, software solution to mitigate 10G DDoS attacks and we’re using our own Linux servers for it. You can search for WANGuard to see more about it. If the DDOS attack is too powerful to be mitigated then we can blackhole the attacked IP through BGP.

By: dave

dave — Mon, 22 Mar 2010 03:58:22 +0000

Itís a case of technology being smartly used to fight a flawed technology, vendors have provided tools to deal with these threats and Iím amazed by the seemingly lack of coordination amongst service providers to mitigate DDoS.

First we have the problem of detection; We should be looking to detect the attack at the lower levels, (I donít think its necessarily the SP’s job to do this), I believe that the lower end gateways should be equipped to detect attacks.

Secondly we have to define how to deal with the incident; If you announce an address range (to point that its injected into a routing protocol for announcement into the global routing table) then you have the capability to announce a filter for that address range using something like bgp flowspec.

And finally service providers need to provide the flowspec like functionality in their networks (can be done many ways) in their networks.

By: Dmitri Kalintsev

Dmitri Kalintsev — Mon, 18 Jan 2010 19:47:56 +0000

There are a couple of points to consider when thinking about DDoS protection:

- How likely is your on-line business to get attacked due to its nature (i.e. online gambling and financial sites have much more to lose if their online presence is affected than say “Joe Blow’s Tyres and Shocks”). Often DDoS attacks come with a ransom demand.

- What can your Internet provider or providers do for you (apart from yanking your prefixes from their BGP tables)? Many providers have Arbor infrastructure and can offer DDoS protection services to their downstream clients. Yes, an individual Internet SP can also be drowned, but they also have capability to coordinate their attack mitigation activities with their own upstream providers, which makes the chances of success much better.

Yes, I do realize that even Arbor isn’t a silver bullet when it comes to DDoS attacks in all their approaches and varieties, but a well thought-out strategy (rather than “we’ll buy boxes and all will be fine” approach) can make you sleep a little bit better at night.