Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks.... apparently they go after each other in retaliation
I've crafted a series of things for dealing with the results of volumetric ddos attacks... I've had attacks in upwards of 50 or 60 gig as I recall.... across all of my (3) internet connections at times - deny acl's ... for ports/protocols that I know are absolutely not needed - policers of various well known port attack vectors (gleaned from netflow data) - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level - a repeat-victims list of ip's with policing udp for this group (note1) - rtbh (note2) Note 1 - Also, I've learned that if a customer has been attack once, the chances of them being the target of an attack again is high....so by crafting the repeat victims list, you can catch next-day attacks of differing vectors. Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we trigger a bgp/community route that goes out to the inet cloud and stops attack further into the upstream providers network... I know I "complete" the attack, but, I save my network ;) ...I use an old cisco 2600 as my trigger router and wrote a job aid that I shared with the NOC for triggering rtbh when needed, couple commands. ...I would like to automate my rtbh using what I understand is a possibly use case for FastNetMon, but haven't got around to it I also wonder if team cymru's utrs project and other things like that would benefit my security posture. -Aaron
