DDoS Identification / Mitigation
Hi all - I know this isn't a MICE specific question, but I can't think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it's quite the pain! Thanks in advance! d Dave Williams Founder / Visionary Revelation Network Management, Inc. O: 763.367.6161 C: 763.670.5558
This isn't exactly a detection/mitigation solution, but we use the CYMRU UTRS service to help us reduce our share of the problem: http://www.team-cymru.org/UTRS/ https://www.cymru.com/jtk/misc/utrs.html I encourage everyone to check it out. It's free, and as more organizations participate it becomes more effective.
On Jul 30, 2016, at 15:35, Dave Williams <dave@REVNETDATA.COM> wrote:
Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it’s quite the pain! Thanks in advance! d
Dave Williams Founder / Visionary Revelation Network Management, Inc. O: 763.367.6161 C: 763.670.5558
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Steve - that looks like a great thing to start with! Thanks! Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Steve Howard <showard@PAULBUNYAN.NET> Date: 7/30/16 10:18 PM (GMT-06:00) To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] DDoS Identification / Mitigation This isn't exactly a detection/mitigation solution, but we use the CYMRU UTRS service to help us reduce our share of the problem: http://www.team-cymru.org/UTRS/ https://www.cymru.com/jtk/misc/utrs.html I encourage everyone to check it out. It's free, and as more organizations participate it becomes more effective. On Jul 30, 2016, at 15:35, Dave Williams <dave@REVNETDATA.COM<mailto:dave@revnetdata.com>> wrote: Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it’s quite the pain! Thanks in advance! d Dave Williams Founder / Visionary Revelation Network Management, Inc. O: 763.367.6161 C: 763.670.5558 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
I worked at a shop for a while that used Arbor networks solution with good success. From what I recall it requires the upstream carrier to support it so you'd have to see if yours do. On Jul 30, 2016 4:35 PM, "Dave Williams" <dave@revnetdata.com> wrote:
Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it’s quite the pain!
Thanks in advance!
d
Dave Williams
Founder / Visionary
Revelation Network Management, Inc.
O: 763.367.6161
C: 763.670.5558
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Sat, Jul 30, 2016 at 11:05:48PM -0500, Brady Kittel wrote:
I worked at a shop for a while that used Arbor networks solution with good success. From what I recall it requires the upstream carrier to support it so you'd have to see if yours do.
I replied offlist to the OP. There are so many ways to operate denial of service attacks. Some of them are bandwidth eating (ICMP, SYN, UDP flooding), some of them attack the assets (HTTP slow accept, high fake query/request, etc). Each of these needs a slightly different approach. Arbor Networks works quite well if both ends have it - very true and also very, very expensive. F5 has stuff built in to protect assets but also can be very expensive. Fortigate firewalls have some decent stuff in them for relegating throughput and dropping bad traffic at the edge but will require some tuning. IPS/IDS is quite good as well. But once the traffic is at your edge, and the attack is to burn your bandwidth, you've already lost. But if application attacks are going on then FGT can help. CloudFlare moves the endpoint into their network and have come a long way since I first learned of them. Think of it as a reverse proxy for HTTP-type termination and your global DNS server. There are so many things that can help mitigate depending on the type of attack - that needs to be determined :) -- Mike Horwath, reachable via drechsau@Geeks.ORG
We’ve had great luck with Kentik (https://www.kentik.com/) as a general netflow tool to at least identity DDoS sources/targets (not to mention a very well rounded tool for analyzing flow data coupled with BGP info/sankey diagrams, as well). From a mitigation perspective, hopefully your upstream providers support D/RTBH at a minimum. If they don’t, vote with your wallet and go somewhere that does. Set up your IBGP mesh with a blackhole community and local null routing, with respective policies and communities on your transit edges matching their blackhole communities. In theory, you should be able to add a null route anywhere in your ibgp mesh, and have network wide black holing that also triggers upstream blackholing as well. Ideally, you’d have some sort of standalone trigger router with OOB access that you can use to originate those routes into BGP. Bonus points for automating that process, or giving tech actionable alert to copy/paste into a router. -- Andrew Hoyos hoyosa@gmail.com
On Jul 30, 2016, at 4:35 PM, Dave Williams <Dave@revnetdata.com> wrote:
Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it’s quite the pain! Thanks in advance! d
Dave Williams Founder / Visionary Revelation Network Management, Inc. O: 763.367.6161 C: 763.670.5558
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Kentik looked rather useful. We've been browsing in this space quite a bit for the last year. We've consistently struggled with the size of the attacks we are seeing, routinely hitting our upstreams at 2-4x our total uplink size. Has anyone set up any automated triggers with tools like Kentik? Does anyone have any experience with FastNetMon? ( https://github.com/pavel-odintsov/fastnetmon) It seemed to potentially be a useful roll your own type of solution. Ben Wiechman Network Engineer IV | Arvig Direct: 320.256.0184 Cell: 320.247.3224 Office: 320.256.7471 ben.wiechman@arvig.com On Mon, Aug 1, 2016 at 8:48 AM, Andrew Hoyos <hoyosa@gmail.com> wrote:
We’ve had great luck with Kentik (https://www.kentik.com/) as a general netflow tool to at least identity DDoS sources/targets (not to mention a very well rounded tool for analyzing flow data coupled with BGP info/sankey diagrams, as well).
From a mitigation perspective, hopefully your upstream providers support D/RTBH at a minimum. If they don’t, vote with your wallet and go somewhere that does.
Set up your IBGP mesh with a blackhole community and local null routing, with respective policies and communities on your transit edges matching their blackhole communities. In theory, you should be able to add a null route anywhere in your ibgp mesh, and have network wide black holing that also triggers upstream blackholing as well. Ideally, you’d have some sort of standalone trigger router with OOB access that you can use to originate those routes into BGP.
Bonus points for automating that process, or giving tech actionable alert to copy/paste into a router.
-- Andrew Hoyos hoyosa@gmail.com
On Jul 30, 2016, at 4:35 PM, Dave Williams <Dave@revnetdata.com> wrote:
Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask! I was wondering if anyone could share their strategy for DDoS detection and mitigation? We randomly have troubles with it and as you can imagine it’s quite the pain! Thanks in advance! d
Dave Williams Founder / Visionary Revelation Network Management, Inc. O: 763.367.6161 C: 763.670.5558
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On 01.08.2016 11:58, Ben Wiechman wrote:
Does anyone have any experience with FastNetMon? (https://github.com/pavel-odintsov/fastnetmon [5]) It seemed to potentially be a useful roll your own type of solution.
I like it. Works really well with sflow, and netmap (requires intel NIC + port mirror) is even better. I found netflow generated more false positives in limited testing - that could just be timeout setting-related, but I know the author is not a big netflow fan. FNM doesn't have a lot knobs to turn on its own - it can email alerts based on very generic thresholds, which has some value, but a bit of customization in ExaBGP and/or flowspec is required to do the cool stuff. IMO its not a complete solution, but can be a very useful part of an overall plan, if you want to go the roll-your-own route. -- Colin Baker SupraNet Communications, Inc. (608) 572-7634 colinb@supranet.net This message is subject to the SupraNet Email Confidentiality Policy which is located at http://supranet.net/confidentiality
participants (7)
-
Andrew Hoyos -
Ben Wiechman -
Brady Kittel -
Colin Baker -
Dave Williams -
Mike Horwath -
Steve Howard