Re: automatic rtbh trigger using flow data

I also looked at PMACCT, however I have to say that I am way more pleased with the current setup. PMACCT relies on bgp session etc, while you actually get that info from your (s)flow. No need for lookup. And I really didn't like the idea of SQL like DB, I know i could push it to influx. But i

Re: automatic rtbh trigger using flow data

On Fri, Aug 31, 2018 at 11:09:19AM +0200, H I Baysal wrote: > My personal view is, as long as you can store your flow info in a > timeseries database (like influxdb and NOT SQL LIKE!!!) you can do > whatever you want with the (raw) data. And create custom triggers for > different

Re: automatic rtbh trigger using flow data

filtering services for > free when DDoS mitigation is a cash cow. > > > > Ryan Hamel > > > > *From:* NANOG *On Behalf Of *Baldur Norddahl > *Sent:* Sunday, September 02, 2018 1:42 AM > *To:* nanog@nanog.org > *Subject:* Re: automatic rtbh trigger using

RE: automatic rtbh trigger using flow data

is going to offer such filtering services for free when DDoS mitigation is a cash cow. Ryan Hamel From: NANOG On Behalf Of Baldur Norddahl Sent: Sunday, September 02, 2018 1:42 AM To: nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data This is not true. Some of our transits do RTBH

Re: automatic rtbh trigger using flow data

> > > > *From:* NANOG *On Behalf Of *Baldur Norddahl > *Sent:* Saturday, September 01, 2018 5:18 PM > *To:* nanog@nanog.org > *Subject:* Re: automatic rtbh trigger using flow data > > > > > > fre. 31. aug. 2018 17.16 skrev Hugo Slabbert : > > > > I wou

RE: automatic rtbh trigger using flow data

> Roland Dobbins wrote : > I'm well aware of what's mentioned in the Arbor report, thanks! I would not have guessed :P > Ryan Hamel wrote : > No ISP is in the business of filtering traffic unless the client pays the > hefty fee since someone still has to tank the atack. I agree. In the end,

Re: automatic rtbh trigger using flow data

turday, September 01, 2018 5:18 PM To: nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data fre. 31. aug. 2018 17.16 skrev Hugo Slabbert mailto:h...@slabnet.com>>: I would love an upstream that accepts flowspec routes to get granular about drops and to basically push "st

Re: automatic rtbh trigger using flow data

On Sun 2018-Sep-02 10:09:32 +0700, Roland Dobbins wrote: On 1 Sep 2018, at 1:43, Hugo Slabbert wrote: Generally on the TCP side you can try SYN or ACK floods, but you're not going to get an amplified reflection. Actually, TCP reflection/amplification has been on the increase; the

Re: automatic rtbh trigger using flow data

On 1 Sep 2018, at 1:43, Hugo Slabbert wrote: Generally on the TCP side you can try SYN or ACK floods, but you're not going to get an amplified reflection. Actually, TCP reflection/amplification has been on the increase; the attacker is guaranteed at least 4:1 amplification in most

Re: automatic rtbh trigger using flow data

On 1 Sep 2018, at 1:20, Lotia, Pratik M wrote: Arbor report mentions volumetric attacks using DNS, NTP form 75+% of the attacks. I'm well aware of what's mentioned in the Arbor report, thanks! ;> Then QoSing certain ports and protocols is the best way to start with. The point is that

Re: automatic rtbh trigger using flow data

On 1 Sep 2018, at 1:35, Aaron Gould wrote: I may mark internet-sourced-udp with a certain marking dscp/exp so that as it travels through my internet network, it will be the first to get dropped (? Wred ? work well for udp?) during congestion when an attack gets through You can use flow

RE: automatic rtbh trigger using flow data

: Saturday, September 01, 2018 5:18 PM To: nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data fre. 31. aug. 2018 17.16 skrev Hugo Slabbert mailto:h...@slabnet.com>>: I would love an upstream that accepts flowspec routes to get granular about drops and to basically push "sta

Re: automatic rtbh trigger using flow data

fre. 31. aug. 2018 17.16 skrev Hugo Slabbert : > > > I would love an upstream that accepts flowspec routes to get granular > about > drops and to basically push "stateless ACLs" upstream. > > _keeps dreaming_ > > > We just need a signal to drop UDP for a prefix. The same as RTBH but only for UDP.

Re: automatic rtbh trigger using flow data

On Fri 2018-Aug-31 13:35:29 -0500, Aaron Gould wrote: * btw, what can you experts tell me about tcp-based volumetric attacks... please help me to understand... does tcp have an inherent inability to ramp-up to massive speeds/loads with it's sliding window and must-rcv-ack-before sending more

RE: automatic rtbh trigger using flow data

day, August 31, 2018 12:13 PM To: NANOG list Subject: Re: automatic rtbh trigger using flow data On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote: > Instead of rtbh I would suggest blocking/rate limiting common ports > used in DDoS attacks. This isn't an 'instead of', it's an 'in addition

RE: automatic rtbh trigger using flow data

018 11:13 AM To: NANOG list Subject: Re: automatic rtbh trigger using flow data On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote: > Instead of rtbh I would suggest blocking/rate limiting common ports > used in DDoS attacks. This isn't an 'instead of', it's an 'in addition to'. And it must be

RE: automatic rtbh trigger using flow data

t 31, 2018 2:09 AM To: Michel Py ; Aaron Gould ; mic...@arneill-py.sacramento.ca.us Cc: Nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data Most of the solutions mentioned are paid, or fastnetmon is partially paid. And the thing you want is paid i believe Nice tool though, n

Re: automatic rtbh trigger using flow data

On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote: Instead of rtbh I would suggest blocking/rate limiting common ports used in DDoS attacks. This isn't an 'instead of', it's an 'in addition to'. And it must be done judiciously; many operators doing this have concentrated on common

RE: automatic rtbh trigger using flow data

-flowspec ~Pratik Lotia -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of H I Baysal Sent: Friday, August 31, 2018 3:09 AM To: Michel Py; Aaron Gould; mic...@arneill-py.sacramento.ca.us Cc: Nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data Most

Re: automatic rtbh trigger using flow data

On 31 Aug 2018, at 22:15, Hugo Slabbert wrote: I would love an upstream that accepts flowspec routes to get granular about drops and to basically push "stateless ACLs" upstream.

Re: automatic rtbh trigger using flow data

On 31 Aug 2018, at 16:33, Ryan Hamel wrote: From experience, sflows are horribly inaccurate for DDoS detection, since the volume could disrupt the control plane and render the process useless, thus not giving data to the external system to act upon it. On the contrary, flow telemetry in

Re: automatic rtbh trigger using flow data

On Fri 2018-Aug-31 06:59:29 +0700, Roland Dobbins wrote: On 31 Aug 2018, at 6:47, Aaron Gould wrote: I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really

Re: automatic rtbh trigger using flow data

: Nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data Most of the solutions mentioned are paid, or fastnetmon is partially paid. And the thing you want is paid i believe Nice tool though, not saying anything against it. However My personal view is, as long as you can store your

RE: automatic rtbh trigger using flow data

: NANOG On Behalf Of H I Baysal Sent: Friday, August 31, 2018 2:09 AM To: Michel Py ; Aaron Gould ; mic...@arneill-py.sacramento.ca.us Cc: Nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data Most of the solutions mentioned are paid, or fastnetmon is partially paid. And the thing you

Re: automatic rtbh trigger using flow data

Most of the solutions mentioned are paid, or fastnetmon is partially paid. And the thing you want is paid i believe Nice tool though, not saying anything against it. However My personal view is, as long as you can store your flow info in a timeseries database (like influxdb and NOT SQL

RE: automatic rtbh trigger using flow data

> Aaron Gould wrote : > I'm really surprised that you all are doing this based on source ip, simply > because I thought the distribution of botnet members around > the world we're so extensive that I never really thought it possible to > filter based on sources, if so I'd like to see the list

Re: automatic rtbh trigger using flow data

On 31 Aug 2018, at 6:47, Aaron Gould wrote: I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really thought it possible to filter based on sources, i Using S/RTBH

Re: automatic rtbh trigger using flow data

I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really thought it possible to filter based on sources, if so I'd like to see the list too Even so, this would not

RE: automatic rtbh trigger using flow data

> Joe Maimon wrote : > I use a bunch of scripts plus a supervisory sqlite3 database process all > injecting into quagga I have the sqlite part planned, today I'm using a flat file :-( I know :-( > Also aimed at attacker sources. I feed it with honeypots and live servers, > hooked into fail2ban

Re: automatic rtbh trigger using flow data

Michel Py wrote: Aaron Gould wrote : Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use quagga or a script of some sort to interact with a router to advertise to bgp the /32 host route of the victim

RE: automatic rtbh trigger using flow data

30, 2018 3:17 PM To: Aaron Gould; Nanog@nanog.org Subject: RE: automatic rtbh trigger using flow data > Aaron Gould wrote : > Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use > quagga or a script of

RE: automatic rtbh trigger using flow data

QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 1:38 PM To: 'Michel Py' ; Nanog@nanog.org Subject: RE: automatic rtbh trigger using flow data Thanks, but what if the attacker is many

RE: automatic rtbh trigger using flow data

; Nanog@nanog.org Subject: RE: automatic rtbh trigger using flow data > Aaron Gould wrote : > Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use > quagga or a script of some sort to interact with

RE: automatic rtbh trigger using flow data

> Aaron Gould wrote : > Hi, does anyone know how to use flow data to trigger a rtbh (remotely > triggered blackhole) route using bgp ? ...I'm thinking we could use > quagga or a script of some sort to interact with a router to advertise to bgp > the /32 host route of the victim under attack.

RE: automatic rtbh trigger using flow data

Wow, 4 replies for fastnetmon, thanks Ryan, Vincente, Job and Kushal I'll look into it -Aaron From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 2:53 PM To: Nanog@nanog.org Subject: automatic rtbh trigger using flow data Hi, does

RE: automatic rtbh trigger using flow data

There are software that combine your needs altogether. I'm sure there are others. WANGuard from Andrisoft (https://www.andrisoft.com/software/wanguard) Fastnetmon (https://fastnetmon.com/) From: NANOG On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 12:53 PM To: Nanog@nanog.org

Re: automatic rtbh trigger using flow data

fastnetmon does exactly what you’re looking for. https://fastnetmon.com/ there is also an open source version https://github.com/pavel-odintsov/fastnetmon my best —vicente > On Aug 30, 2018, at 12:52 PM, Aaron Gould