nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS, IDS, RTBH, and Rate limiting

From: Joe Chisolm <jchisolm () computer org>
Date: Sun, 09 Nov 2014 01:13:37 -0600
Look at the products from RioRey (www.riorey.com).  IMHO I think their technology is much better than some of the other 
players out here.

On 11/08/2014 07:10 PM, Eric C. Miller wrote:

Today, we experienced (3) separate DDoS attacks from Eastern Asia, all generating > 2Gbps towards a single IP address 
in our network. All 3 attacks targeted different IP addresses with dst UDP 19, and the attacks lasted for about 5 
minutes and stopped as fast as they started.

Does anyone have any suggestions for mitigating these type of attacks?

A couple of things that we've done already...

We set up BGP communities with our upstreams, and tested that RTBH can be set and it does work. However, by the time 
that we are able to trigger the black hole, the attack is almost always over.

For now, we've blocked UDP 19 incoming at our edge, so that if future, similar attacks occur, it doesn't affect our 
internal links.

What I think that I need is an IDS that can watch our edge traffic and automatically trigger a block hole 
advertisement for any internal IP beginning to receive > 100Mbps of traffic. A few searches are initially coming up 
dry...



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115






-- 
Joe Chisolm
Computer Translations, Inc.
Marble Falls, Tx.
830-265-8018

Public Key Available at www.sks-keyservers.net
Previous By Date Next
Previous By Thread Next

Current thread: