On Sun, 9 Nov 2014, Roland Dobbins wrote:
On 9 Nov 2014, at 10:12, Jon Lewis wrote:
The tricky part is when to remove the route...since you can't tell if the
attack has ended while the target is black holed by your upstreams.
You can with NetFlow, if you've D/RTBHed the IP in question on your own
infrastructure. NetFlow reports statistics on dropped traffic (except on a
few platforms with implementation deficiencies).
I'm assuming from the OP's comment:
"We set up BGP communities with our upstreams, and tested that RTBH can
be set and it does work."
that they have their upstreams null routing the traffic, so they no longer
see the attack traffic.
But this kind of thing punishes the victim. It's far better to do everything
possible to *protect* the target(s) of an attack, and only use D/RTBH as a
last resort.
I'm sure it's not always the case, but in my experience as a SP, the
victim virtually always did something to instigate the attack, and is
usually someone you don't want as a customer. When I worked for a cloud
hosting provider, the DDoS "victims" tended to be fraudulent signups who
were doing malicious or anti-social things on the net and were not paying
customers anyway.
As someone else mentioned, it's better to sacrifice the one target and end
the impact quickly than to piss off all or even some subset of your
customers.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
