Re: DDoS auto-mitigation best practices (for eyeball networks)

[Mike Hammett <nanog () ics-il net>]

Often it's an argument in some sort of online game or a poor loser. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Mehmet Akcin" <mehmet () akcin net> 
To: "Frank Bulk" <frnkblk () iname com> 
Cc: nanog () nanog org 
Sent: Saturday, September 19, 2015 3:09:47 PM 
Subject: Re: DDoS auto-mitigation best practices (for eyeball networks) 

How does he/she become target? How does IP address gets exposed? 

I guess simplest way is to reboot modem and hope to get new ip (or call n request) 

Mehmet 

> On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk () iname com> wrote: 
>
> Could the community share some DDoS auto-mitigation best practices for 
> eyeball networks, where the target is a residential broadband subscriber? 
> I'm not asking so much about the customer communication as much as 
> configuration of any thresholds or settings, such as: 
> - minimum traffic volume before responding (for volumetric attacks) 
> - minimum time to wait before responding 
> - filter percentage: 100% of the traffic toward target (or if volumetric, 
> just a certain percentage)? 
> - time before mitigation is automatically removed 
> - and if the attack should recur shortly thereafter, time to respond and 
> remove again 
> - use of an upstream provider(s) mitigation services versus one's own 
> mitigation tools 
> - network placement of mitigation (presumably upstream as possible) 
> - and anything else 
>
> I ask about best practice for broadband subscribers on eyeball networks 
> because it's different environment than data center and hosting environments 
> or when one's network is being used to DDoS a target. 
>
> Regards, 
>
> Frank