{"id":786,"date":"2007-05-28T15:18:18","date_gmt":"2007-05-28T23:18:18","guid":{"rendered":"\/?p=786"},"modified":"2007-05-28T15:21:41","modified_gmt":"2007-05-28T23:21:41","slug":"roland-dobbins-on-ddos-attacks-and-mitigations","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=786","title":{"rendered":"Roland Dobbins on DDoS attacks and mitigations"},"content":{"rendered":"<p>Roland Dobbins has written to point out that the recent <a href=\"\/?p=785\">Russian cyber-attacks <\/a>on Estonia are not the first launched by one state against another (he cites incidents during the Balkan confict, as well as China versus Japan).<\/p>\n<p>Then he gives us an overview of&nbsp;DDoS attacks and mitigations:<\/p>\n<blockquote><p>DoS attacks are easy to trace as long as Service Providers (SPs) have the proper instrumentation and telemetry enabled&nbsp;on their routers &#8211; NetFlow is the most common way of doing this, along&nbsp; with various open-source and commercial tools (nfdump\/ nfsen,&nbsp;Panoptis, Arbor, Lancope, Narus, Q1).<\/p>\n<p>Most DDoS attacks these days aren&#39;t spoofed, because a) there&#39;s no&nbsp;need, given the zillions of botted computers out there available for&nbsp;use as attack platforms and b) because many SPs have implemented antispoofing technologies such as uRPF, iACLs, etc.<\/p>\n<p>However, antispoofing (BCP38\/BCP84) isn&#39;t universally deployed, and so the ability to spoof combined with DNS servers which are misconfigured as open recursors means that attackers can launch very large (up to&nbsp;25gb\/sec that I know of) spoofed DDoS attacks, due to the amplification factor of the open DNS recursors.<\/p>\n<p>There are various mitigation techniques employed such as&nbsp; destination-based (destroys the village in order to save it) and\/or&nbsp;source-based remotely-triggered blackholing (S\/RTBH), plan old iACLs, and dedicated DDoS mitigation appliances; there&#39;s a lot of&nbsp;information-sharing and coordinated mitigation which takes place in&nbsp;the SP community, as well.<\/p>\n<p>But there isn&#39;t nearly enough of any of these things, especially in the developing world.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Most DDoS attacks these days aren&#39;t spoofed, because there&#39;s no need, given the zillions of botted computers out there&#8230;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/786"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=786"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/786\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}