North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: looking for pull traffic

  • From: Richard A Steenbergen
  • Date: Thu Nov 13 20:01:20 2003

On Thu, Nov 13, 2003 at 04:38:06PM -0800, Tom (UnitedLayer) wrote:
> 
> On Thu, 13 Nov 2003, Deepak Jain wrote:
> > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent
> > between providers to affect month-over-month or quarterly ratios?
> 
> I know a webhoster/provider who consistently takes in 1Mpps DOS attacks,
> and I'm presuming that the 95th percentile on that will be fairly high...
> 
> Would I want that? Not especially...

Having had a few large DoS-magnet customers behind me (and more than
likely being the provider you're talking about :P), I can safely say that
they do absolutely nothing to benefit ratios. The traffic is too short and
bursty to be of any benefit, even when you can successfully filter it so
that no other operations are impacted.

I also stand by my opinion that DoS does not happen without a reason. Yes
there may be that 1% who gets attacked because they are Yahoo or eBay and
are public targets, but it takes a really really special kind of DoS
magnet to consistantly receive enough traffic to affect 95th percentile.  
Those kinds of targets are generally not only engaged in some activity
which invites attack (such as running an IRC server), they are actively
encouraging it by their behavior, and probably should be booted anyways
for other reasons that you just don't know about yet.

The only benefit to having a hefty outbound ratio is that you have plenty
of headroom to work with when attacks do come in. Unless you happen to 
notice that a large amount of the traffic is coming from certain Asian 
Pacific networks, and intentionally peer with them to setup choke points. 
:)

-- 
Richard A Steenbergen <[email protected]>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)