Re: DDOS, IDS, RTBH, and Rate limiting

[Miles Fidelman <mfidelman () meetinghouse net>]

Roland Dobbins wrote:
> On 9 Nov 2014, at 10:37, Jon Lewis wrote:
>
> > I'm sure it's not always the case, but in my experience as a SP, the 
> > victim virtually always did something to instigate the attack, and is 
> > usually someone you don't want as a customer.
>
> This may be a reflection of your experience and customer base, but it 
> isn't a valid generalization.  Legitimate customers are attacked all 
> the time, for various reasons - including unknowingly having their 
> servers compromised and used as C&Cs by miscreants, who're then 
> attacked by other miscreants.
>
> But to say that attacks are 'virtually always' provoked by customers 
> themselves simply isn't true.  DDoS extortion, ideologically-motivated 
> DDoS attacks, maskirovkas intended as a distraction away from other 
> activities, simple nihilism, et. al. are, unfortunately, quite common.
>
> > When I worked for a cloud hosting provider, the DDoS "victims" tended 
> > to be fraudulent signups who were doing malicious or anti-social 
> > things on the net and were not paying customers anyway.
>
> Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true.  
> Compromised machines are 'attractive nuisances', which is yet another 
> reason it's important to have visibility into your network traffic 
> (it's easy to get started with NetFlow and open-source tools).

Granted, a sample size of 1 - but the most recent event where we were 
the vector for a reflection attack, the target was a game hosting 
system.  Based on some interaction with their sysadmin, it became pretty 
clear that this is fairly common for them, and the motivations had more 
to do with hacking gameplay than anything else.

Miles Fidelman





--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra