On 3 Sep 2007, at 03:58, Hock Jim wrote: > Sorry for being slightly off-topic, but hoping to seek some advise on > what is typically the case for ISP response in the case of a DDOS.
its fine but check out nanog which is more Internet operational than here.. > In the case of a DDOS attack that saturates an upstream, typically: > 1. will the ISP charge (based on 95% percentile) for the days or hours > where the traffic increased substantially due to attack traffic 95% means that 5% of traffic is discarded, that amounts to throwing away around the top 37 hours of traffic so in the case of your DDoS you are going to need to sustain it for a VERY long period for it to significantly alter your billing but the ISP should charge.. there are costs in carrying DDoS traffic! > 2. will the ISP help to filter out the attack traffic once the > source/destination has been identified (without any ISP involvement) i would sincerely hope so, if you find trouble with any who are not try making a post to the nanog list and see if you either get responses from anyone with similar experience or hopefully a reply from your ISP. > 3. will the ISP charge for the traffic filter i've not seen that. i dont see why they couldnt charge but it would be in poor taste imho > We were recently hit by a ICMP DDOS, after identifying the attack > traffic through NBAR (why isn't NBAR hardware in Sup720?!?) and > Netflow information, our experience with our (tier-one) ISPs have been > less than stellar, and were wondering if switching ISPs actually > helps. afaik all the tier1s have dedicated people working on this, i can think of most if not all of them. care to drop a name and i'll give you a pointer (private if you prefer) some of those folks are VERY good at what they do too so consider they may be able to help you with an attack at the early stages without you needing to identify the nature of the attack - their tools will be more sophisticated and they can quickly spot the malicious looking traffic flowing to you. there are also processes in place that will locate and shutdown the attackers, hitting it at source rather than needing to rely on a filter for the duration of the attack Steve > > Thanks in advance. > > regards, > Jim > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/