nanog mailing list archives
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 23 Sep 2016 22:42:45 -0400
On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jlewis () lewis org> wrote:
On Fri, 23 Sep 2016, Christopher Morrow wrote: On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis () lewis org> wrote:On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:Is CloudFlare able to filter Layer 7 these days? I was under theimpression CloudFlare was not able to do that. There have been a lot of rumors about this attack. Some say reflection, others say Layer 7, others say .. other stuff. If it is Layer 7, how are you going to ÿÿstep in front of the cannonÿÿ? Would you just pass through all the traffic?Anycast + load balancers + high powered varnish? notionally (because I have been paying zero attention to this) jon'ssuggesting: 1) setup a crapload of nginx/squid/etc configured tightly for things to be accessed behind them 2) ecmp to them across several layers (assume 32 ecmp at each layer, call it 4 layers get craploads of machines running) 3) change over the dns 4) profit-- eh? If you can eat the PPS, you can spray across enough tcp listeners, you can weed out the chaff and start filtering in the 'application'... perhaps also run a 'low bandwidth' version of the target site... hey look, we invented prolexic.Well...by anycast, I meant BGP anycast, spreading the "target" geographically to a dozen or more well connected/peered origins. At that point, your ~600G DDoS might only be around
anycast and tcp? the heck you say! :)
50G per site, and at that level, filtering the obvious crap gets much more reasonable. Then, doing the layer 7 scrubbing of the less obvious crap is more easily dealt with than a single site receiving 600G of attack traffic.
sure, yes.
I haven't actually done this (specifically for DDoS mitigation)...just speculating as to how it might easily be done given sufficient resources. The trouble is, the attackers have virtually unlimited bandwidth, and aren't constrained by having to pay for the bandwidth.
sounds like you got it all sorted out...
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey, (continued)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey jim deleskie (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Marcin Cieslak (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Justin Paine via NANOG (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Patrick W. Gilmore (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Justin Paine via NANOG (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jörg Kost (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jon Lewis (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Christopher Morrow (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jon Lewis (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Christopher Morrow (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Levine (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Bill Woodcock (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Christopher Morrow (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Niels Bakker (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Christopher Morrow (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Brett Watson (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Justin Paine via NANOG (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay Farrell via NANOG (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay R. Ashworth (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey jim deleskie (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 23)