Rarely will sourced ips be the same every time a victim gets DDOS'd. Good telemetry is key but every time the attack happens it needs to be looked at. I find bogon prefixes are not as used much, especially amplification attacks. Gathering good intel and blocking bogons will help, but there is no one strategy that works. You also will always risk blocking some good traffic. Again, there's a reason why you can only mitigate and not stop a DDOS completely.
Paul -----Original Message----- From: Nikos Leontsinis <[email protected]> Sent: Tuesday, December 10, 2019 5:19 PM To: Aaron Gould <[email protected]>; 'Paul Amaral' <[email protected]>; [email protected]; [email protected] Subject: RE: [EXTERNAL] RE: DDoS attack You can get the bogon prefixes from Cymru and defend your network using them in combination with rpf The key with the attacks dos or ddos is to have proper telemetry (streaming telemetry not polling telemetry) and baselines without this information you run the danger of blocking good traffic. Based on the thread below I don't see any evidence of an attack only speculations. nikos -----Original Message----- From: NANOG <[email protected]> On Behalf Of Aaron Gould Sent: Tuesday, December 10, 2019 5:05 PM To: 'Paul Amaral' <[email protected]>; [email protected]; [email protected] Subject: [EXTERNAL] RE: DDoS attack Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks.... apparently they go after each other in retaliation I've crafted a series of things for dealing with the results of volumetric ddos attacks... I've had attacks in upwards of 50 or 60 gig as I recall.... across all of my (3) internet connections at times - deny acl's ... for ports/protocols that I know are absolutely not needed - policers of various well known port attack vectors (gleaned from netflow data) - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level - a repeat-victims list of ip's with policing udp for this group (note1) - rtbh (note2) Note 1 - Also, I've learned that if a customer has been attack once, the chances of them being the target of an attack again is high....so by crafting the repeat victims list, you can catch next-day attacks of differing vectors. Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we trigger a bgp/community route that goes out to the inet cloud and stops attack further into the upstream providers network... I know I "complete" the attack, but, I save my network ;) ...I use an old cisco 2600 as my trigger router and wrote a job aid that I shared with the NOC for triggering rtbh when needed, couple commands. ...I would like to automate my rtbh using what I understand is a possibly use case for FastNetMon, but haven't got around to it I also wonder if team cymru's utrs project and other things like that would benefit my security posture. -Aaron This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
