Re: DDoS Mitigation

2015-11-04 Thread Christopher Morrow 
a short answer for the OP is: "Find an ISP that will actually support you"

there are quite a few in the US that will filter traffic like this for
you (vzb will) on demand, provided the traffic is service impacting
and NOT 'victoria secret runway show' traffic.

alternately you could find an ISP that has a mitigation service (vzb,
att, ntt, sprint i think still does)  and move your links there.

All of those are cheaper when under attack than the off-netork
solutions (generally).

On Thu, Nov 5, 2015 at 9:12 AM, Tin, James  wrote:
> This is my first post to Nanog. So please don't flame me down ;)
>
> Hi Mario.
>
> Typically the cost of Ddos mitigation is charged on the amount of clean 
> traffic inbound to your network, the number of protected /24 ranges you need 
> protected and the number of datacentres you want to protect.
>
> Ideally the Ddos mitigation solution should block attacks as close as 
> possible to the source of the attack. One good way of doing this is by 
> leveraging anycast from multiple scrubbing centres and ensure there is enough 
> backbone bandwidth between each scrubbing centre to deliver clean traffic.
>
> Blocking it at your upstream transit provider may be too late for significant 
> attacks as any service provider between you and the source could black hole 
> the traffic before it gets to your peers. This results in legitimate traffic 
> not being able to reach your network.
>
> Paras is correct, attacks could be on any port and often multivector and 
> change within an attack campaign if attackers see one vector is not 
> effective. So each attack really needs to be dealt with dynamically to ensure 
> there are no false positives (something is blocked when it shouldn't be)
>
> Unfortunately it is very simple to intimate a Ddos attack, but the cost of 
> mitigation is very high. So the solution you choose really depends on the 
> monetary cost of the outages, clients you have and whether the cost can be 
> amortised over your client base.
>
> I have seen service providers offer premium hosting services which have Ddos 
> mitigation, using separate infrastructure and links to their normal 
> customers. This reduces the cost of mitigation while also containing the 
> risks and the collateral damage.
>
> There are also different Ddos mitigation solutions depending on the service 
> protocols your are offering. Ie web traffic could be mitigated with cdn vs 
> all protocols and ports with BGP via a scrubbing centre.
>
> Sent from my iPhone
> James Tin
> Enterprise Security Architect APJ
> Join the Conversation.
> Log on to Akamai Community. 
> [http://www.akamai.com/images/img/community-icon-large.png] 
> 
>
> [http://www.akamai.com/images/img/bg/akamai-logo.png]
>
> Office: +61 9008 4906
> Cell: +61 466 961 555
> Akamai Technologies
> Level 7, 76 Berry St
> North Sydney, NSW 2071
>
> Connect with Us:
> [http://www.akamai.com/images/img/akamai-community-icon.jpg] 
>   
> [http://www.akamai.com/graphics/misc/rs_icon_small.png] 
>   
> [http://www.akamai.com/graphics/misc/tw_icon_small.png] 
>   
> [http://www.akamai.com/graphics/misc/fb_icon_small.png] 
>   
> [http://www.akamai.com/graphics/misc/in_icon_small.png] 
>   
> [http://www.akamai.com/graphics/misc/yt_icon_small.png] 
> 
>
>
>
>
> On 5 Nov 2015, at 05:13, Paras 
> mailto:pa...@protrafsolutions.com>> wrote:
>
> Hey,
>
> Just blocking port 19 won't cut it, as we often see Chargen attacks that run 
> on nonstandard ports as well
>
> Thanks,
> Paras
>
> On 11/4/2015 12:33 PM, Mario Eirea wrote:
> Hello everyone,
>
> Looking to find out how the pricing model works for DDoS mitigation and what 
> to expect as far as ballpark pricing from my ISP. Some background, we are 
> getting hit with a chargen attack that comes and goes and is saturating our 
> 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want 
> us to go through our rep, in the process making this go on longer that is 
> necessary. Any feedback would be appreciated.
>
> Thanks,
>
> -ME
>
>

Re: DDoS Mitigation

2015-11-04 Thread Tin, James 
This is my first post to Nanog. So please don't flame me down ;)

Hi Mario.

Typically the cost of Ddos mitigation is charged on the amount of clean traffic 
inbound to your network, the number of protected /24 ranges you need protected 
and the number of datacentres you want to protect.

Ideally the Ddos mitigation solution should block attacks as close as possible 
to the source of the attack. One good way of doing this is by leveraging 
anycast from multiple scrubbing centres and ensure there is enough backbone 
bandwidth between each scrubbing centre to deliver clean traffic.

Blocking it at your upstream transit provider may be too late for significant 
attacks as any service provider between you and the source could black hole the 
traffic before it gets to your peers. This results in legitimate traffic not 
being able to reach your network.

Paras is correct, attacks could be on any port and often multivector and change 
within an attack campaign if attackers see one vector is not effective. So each 
attack really needs to be dealt with dynamically to ensure there are no false 
positives (something is blocked when it shouldn't be)

Unfortunately it is very simple to intimate a Ddos attack, but the cost of 
mitigation is very high. So the solution you choose really depends on the 
monetary cost of the outages, clients you have and whether the cost can be 
amortised over your client base.

I have seen service providers offer premium hosting services which have Ddos 
mitigation, using separate infrastructure and links to their normal customers. 
This reduces the cost of mitigation while also containing the risks and the 
collateral damage.

There are also different Ddos mitigation solutions depending on the service 
protocols your are offering. Ie web traffic could be mitigated with cdn vs all 
protocols and ports with BGP via a scrubbing centre.

Sent from my iPhone
James Tin
Enterprise Security Architect APJ
Join the Conversation.
Log on to Akamai Community. 
[http://www.akamai.com/images/img/community-icon-large.png] 


[http://www.akamai.com/images/img/bg/akamai-logo.png]

Office: +61 9008 4906
Cell: +61 466 961 555
Akamai Technologies
Level 7, 76 Berry St
North Sydney, NSW 2071

Connect with Us:
[http://www.akamai.com/images/img/akamai-community-icon.jpg] 
  
[http://www.akamai.com/graphics/misc/rs_icon_small.png] 
  
[http://www.akamai.com/graphics/misc/tw_icon_small.png] 
  
[http://www.akamai.com/graphics/misc/fb_icon_small.png] 
  
[http://www.akamai.com/graphics/misc/in_icon_small.png] 
  
[http://www.akamai.com/graphics/misc/yt_icon_small.png] 





On 5 Nov 2015, at 05:13, Paras 
mailto:pa...@protrafsolutions.com>> wrote:

Hey,

Just blocking port 19 won't cut it, as we often see Chargen attacks that run on 
nonstandard ports as well

Thanks,
Paras

On 11/4/2015 12:33 PM, Mario Eirea wrote:
Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to 
expect as far as ballpark pricing from my ISP. Some background, we are getting 
hit with a chargen attack that comes and goes and is saturating our 500mb 
connection. Tried hitting up the ISP for UDP block on 19 but they want us to go 
through our rep, in the process making this go on longer that is necessary. Any 
feedback would be appreciated.

Thanks,

-ME

Re: DDoS Mitigation

2015-11-04 Thread Joseph Jenkins 
Depends on the service, you might have better luck with versign or prolexic and 
they can get the services up and running quickly.
Joe Jenkins
909.636.2097

> On Nov 4, 2015, at 9:33 AM, Mario Eirea  wrote:
> 
> Hello everyone,
> 
> Looking to find out how the pricing model works for DDoS mitigation and what 
> to expect as far as ballpark pricing from my ISP. Some background, we are 
> getting hit with a chargen attack that comes and goes and is saturating our 
> 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want 
> us to go through our rep, in the process making this go on longer that is 
> necessary. Any feedback would be appreciated.
> 
> Thanks,
> 
> -ME

AT&T Wholesale

2015-11-04 Thread Sam Norris 
Hey everyone,

Can someone send me privately the contact info for an AT&T Wholesale rep for
Metro E / VPLS / Layer 2 stuff here in the SouthWest region?  Their website is
not very informative on how to make any contact with the wholesale group.

Thx,
Sam

Re: DDoS Mitigation

2015-11-04 Thread Paras 

Hey,

Just blocking port 19 won't cut it, as we often see Chargen attacks that 
run on nonstandard ports as well


Thanks,
Paras

On 11/4/2015 12:33 PM, Mario Eirea wrote:

Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to 
expect as far as ballpark pricing from my ISP. Some background, we are getting 
hit with a chargen attack that comes and goes and is saturating our 500mb 
connection. Tried hitting up the ISP for UDP block on 19 but they want us to go 
through our rep, in the process making this go on longer that is necessary. Any 
feedback would be appreciated.

Thanks,

-ME

DDoS Mitigation

2015-11-04 Thread Mario Eirea 
Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to 
expect as far as ballpark pricing from my ISP. Some background, we are getting 
hit with a chargen attack that comes and goes and is saturating our 500mb 
connection. Tried hitting up the ISP for UDP block on 19 but they want us to go 
through our rep, in the process making this go on longer that is necessary. Any 
feedback would be appreciated.

Thanks,

-ME