Hi Robin, On 12 Feb 2014, at 23:07, Robin Williams <[email protected]> wrote: > Interesting timing - we've also been seeing a big increase in the same over > the last few weeks, mainly targeting schools from automated (& cheap!) > online 'booter' services (presumably instigated by students who have had > enough of their IT lessons).
Same here, our DDOS were as well very short, 15ms hence why our focus was on reacting to abnormal flows quickly (enough to stop the course, not enough to piss of the ISP ?). We found a way to disable the relation between the school and the control machine, since then we had no more attack. As it seems that attack must be initiated from inside the school (at least from what we have seen/understood). > We've also been forced to script something similar to analyse flows each > minute and advertise blackholes upstream in an automated fashion in order to > react quicker. That's why open source is great, I hate when everyone is re-inventing the same wheel :-) > I found that the complexity (and the bit I imagine the paid mitigation > services spend a lot of their R&D on) is the 'analysis' part to reliably > detect. The trick we found is to detect when our upstream pass "abnormal" threshold and look at that time for the top speaker in terms of pps. Not perfect but as it still require someone here to "pull the trigger" it works pretty well. > I found it easy enough for some of the simple attacks hitting us though. > Our scripted version is very specific to the way we're set up so it wouldn't > really translate elsewhere, but I'll be interested to take a look through > your git repo. Alas, I'm no front-end/gui coder either :) Our "production" version written by Daniel is ahead of ExaBGP but then it is as well very specific. I intend to catch with him and have the noc team switch tool, but for the last days, I am told he added a feature I am still missing :p Perhaps I should force him to work on my code base :p I would be interested in sharing idea, but I guess it would be better to take the discussion off-list. > One thing I did think would be useful while I was doing this, was if there > was an 'open' online IP address reputation database (similar to a spam > reputation db) - I couldn't find one with a quick Google. No - I do not know of any neither, but IMHO we are always fighting the problem the wrong way : ISP knows their customers and should be able to detect outgoing DDOS, instead everyone is paying big money to stop INCOMING flows. The other day we detected that we were part of the problem and stopped the traffic, funnily we got a mail from the recipient of the attack who was very surprised when we told him that (a) we knew (b) it had been sorted the day before. I tried to push the same idea with spam a few years back (and even wrote some proof of concept code with ScavengerEXA) but got nowhere ... However I may be able to bring back some of the idea in ExaDDOS if the project get traction. > Seems to me it wouldn't take much for different providers all analysing flows > to come up with a fairly reliable list of sources for some of this > amplification attack traffic (provided the source isn't spoofed, which > normally amplified stuff wouldn't be). hum .. a list of open NTP servers ? > Having that list to use when determining whether a flow I'm analysing is a > DDoS (to use as a weighting amongst other factors) would help a lot, and > could maybe even be used to drop such traffic in the network based on source > rather than blackholing destinations upstream, provided the network could > take the hit (though getting into a bit of neutrality debate there I guess!) We do not blackhole the destination unless we have really no other choice as otherwise the attacker wins, hence why I like FlowSpec so much. Thomas
signature.asc
Description: Message signed with OpenPGP using GPGMail
