|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: real-time DDoS help?
On Tue, 22 Jun 2004, James wrote: > okay people, this is ridiculous. > > if you want real-time DOS mitigation, cooperation between ASNs, may I > introduce you all to: > > http://www.pch.net/inoc-dba/ As in most other situations, there's value to having multiple tools. Different tools are more useful in different situations, and any single tool may break when you need it most. There are really three issues here: point to point communication, point to multi-point communication, and what you can do yourself when you don't have time to wait for the rest of the world. Point to point communication: For contacting NOCs that participate in INOC-DBA, INOC-DBA is a nice intuitive way to contact them. For NOCs that don't, regular phone numbers may be more useful. The NOC list on puck.nether.net can help you track those down. Collecting your own contact information is also good. Know who your peers and upstreams are, and how to contact them. Keep track of who you meet at conferences (but remember that individuals may not want to answer your phone calls 24 hours a day). Keep track of who your peers' peers and your friends' friends are, in case you need an introduction. Getting yourself taken seriously may be an issue, so figuring out in advance of an actual problem who will be available to help you is quite useful. If you know somebody at the other network, contacting them directly may help, but keep in mind that dealing with your particular problem may not be their job, and that even if it is they're presumably entitled to a private life outside of work. Otherwise, following the contractual path between your network and theirs (probably similar to the AS path) may get you taken more seriously. Rather than just being some random person calling and demanding that the other network do something, you get a situation where organizations are calling other organizations that they already have agreements with, and contact information for. Point to multi-point communication: Contacting an individual network isn't all that useful if you are on the receiving end of a truly distributed attack. Any one network might be able to disconnect a few of the hosts involved, but it's likely that hosts on other networks would pick up the slack and you wouldn't notice the difference. This is the case where putting out some sort of broadcast message for help probably makes sense. The NSP-SEC people have a closed mailing list for handling this sort of thing. I'm not on it, so I don't know exactly how it works, but my impression is that it's somewhat effective. If you don't qualify for membership, perhaps your upstream does, and could help you get the word out when needed. Any broadcast medium for requesting network help will have a problem with keeping the signal to noise ratio high enough that it will be considered worth listening to. The NANOG list, for example, is not particularly useful, both because there's so much non-real-time-operational content, and because most of the broadcast messages for help are things that should not be broadcast. A lot of people read NANOG in their spare time, but don't expect any networks to do real time monitoring of it. I suspect an open and publicized IRC channel would have this problem to an even greater extent. You'd not only be requiring all the networks of the world to sift through the drivel that didn't apply to them, but you'd be requiring them to do so constantly. In general, I suspect the people with the skills and power to help you are too busy for that, so communications channels that are closed, or at least not publicized beyond their intended audience, are likely to be a lot more useful. What you can do yourself: No communications channel will be all that useful if the other networks involved don't want to help. Sometimes the other networks don't join in the communications channels you would like them to, or don't answer their phones. Sometimes they don't understand the problem. Sometimes they're busy (or sleepy), and what's a big problem for you isn't causing any problems for them. Even in the best case scenarios, it's often easiest to put in a short term fix for your problem yourself, and then go ask for help with the long term solution. DDOS attacks tend to do one of three things, depending on where your weakest link is: overwhelm the hosts they're pointed at, overwhelm your routers, or saturate your network links. All of these problems can be mitigated by increasing capacity -- bigger pipes, bigger routers, more hosts. If you can beef up capacity at your borders, devices such as those made by Riverhead (now part of Cisco) will in many cases be able to do a nice job of protecting the insides of your network. Failing that, it may be best to blackhole the target IP address (or have your upstreams do so, depending on what's getting saturated), for the sake of saving the rest of your network. If you choose the right upstream providers, they will likely be a lot more responsive to that sort of request than some other network who isn't depending getting your money. -Steve
|