> On 10 Dec 2015, at 13:58, Graham L. Stewart <[email protected]> > wrote: > > You are also forgetting they were Tweeting exact mitigations and giving the > attackers their mitigation steps for a while, prolonging the attack. I > understand you are from a Uni and are grateful to have had your service > restored
I’m not sure what is meant by our service being restored as we never “lost service”. The network was impacted but it the main most things carried on work. The biggest problem was DNS resolution as some of the root nameservers were uncontactable, but we mitigated this. The overall impact on our institution was quite low. > but you should look carefully at if you have just ‘bought the bull’? I’m not sure what you are referring to “bought the bull”? > > Your point regarding DDoS testing and Arbour goes to show you don’t fully > understand the product or methods used to mitigate as these are testable and > should be on a regular basis. Remember as network operators we actually have > a responsibility to use industry best practise otherwise there is a question > of liability that arrises regardless of terms and conditions (bet you didn’t > know that). I didn’t make any comments regarding DDoS testing or Arbour. You are making a lot assumption about what I know or don’t know. > > Arbour is applied at various points in a network and would protect a whole > network IE Janets not just individual sites, this would be for the good of > the network. Also your comments regarding DDoS testing, Which comments are you referring to? I don’t remember making any comments about DDoS testing. > although you can’t test against a real world DDoS you can test monthly > mitigation techniques. We do this regularly after forming our mitigation plan > a few months ago. What this does is ensure you RTBH services from Tier 1/2’s > work and are accessible and gives you the opportunity to remind upstreams you > may rely on for this that the service has stopped functioning so you know > before you need it. You can then also select a small set of your IP space and > launch attacks and exploits from rented servers, AWS, Azure etc just to name > a few and test your mitigation for various types of attack. Pair that with > reading up on emerging attack vectors and you will be able to produce a > pretty good test plan. You should then run a test emergency almost like a > fire drill on a quiet day of over a holiday period. > > What you have to realise is DDoS is an attack on the increase daily I hear of > more and more networks being attacked this way (well mostly customers of > networks). To wait until you are attacked to work out your mitigation methods > don’t work or tweeting mitigation steps may alert the attacker / attackers to > the steps you are taking is not acceptable as an operator. You should be one > step ahead of the attackers not 10 paces behind. > So on one hand you say "If they were releasing information to the wider community I wouldn’t have to speculate …………” but then on the other you say " tweeting mitigation steps may alert the attacker / attackers to the steps you are taking is not acceptable as an operator”. Which do you want? Do you want Jisc to release information or not? Scott > > > Graham > > > > On 10/12/2015, 13:01, "Scott Armitage" <[email protected]> wrote: > >> >>> On 10 Dec 2015, at 12:48, Graham L. Stewart <[email protected]> >>> wrote: >>> >>> If they were releasing information to the wider community I wouldn’t have >>> to speculate ………… >>> >>> >> >> >> I agree Jisc have left a void which has been filled with rumour and >> speculation (to the point the Express are claiming some ISIS terrorist >> attack is behind everything). However, it is not unusual for any company to >> be less than forthcoming with information regarding network operation >> (particularly security related). I expect once the froth has died down >> there will be a Networkshop presentation and/or UKNOF presentation about the >> events of this week. >> >> >>> >>> >>> On 10/12/2015, 12:34, "Scott Armitage" <[email protected]> wrote: >>> >>>> >>>>> On 10 Dec 2015, at 12:06, Graham L. Stewart >>>>> <[email protected]> wrote: >>>>> >>>>> Got to say though if you have a sustained DDoS you can’t mitigate in over >>>>> 24 hours you should probably have bought in to Arbour or similar a while >>>>> ago. Everyone is being very nice around the situation but its really not >>>>> acceptable to have had the downtime. I know my commercial customers >>>>> wouldn’t accept that. I know of networks able to mitigate even large DDoS >>>>> attacks in an hour. Sounds like they didn’t have a plan or if they did it >>>>> wasn’t tested well. >>>>> >>>> >>>> >>>> Sounds like you are taking guesses about how Jisc are dealing with the >>>> situation. The network guys at Jisc are very professional and know how to >>>> operate networks. Jisc have been keeping their customers (i.e. >>>> Universities) informed and gave an explanation of the events of Tuesday >>>> but asked that information isn’t more widely distributed (which we are >>>> respecting). Other than for a short period (a few hours on Tuesday) there >>>> has been very little disruption. In my personal opinion the service we as >>>> University receive from Jisc (in terms of Internet provision) is exemplary >>>> and I doubt a commercial offering could compete. Universities are free to >>>> go to the market and get commercial provision if they want but I don’t >>>> think any do (other than for non-academic related activities). >>>> >>>> (Note: These are personal views) >>>> >>>> Regards >>>> >>>> >>>> Scott Armitage >>>> >>
signature.asc
Description: Message signed with OpenPGP using GPGMail
