Options
DDOS Attack on the domain host
Hi,
Wasn't sure where to post this so I hope this is the right place. My domain hosting company has been down for a couple of days now as they sufferred a DDOS attack. I don't know much about it as all they do is provide me with the space for my website.
They basically told me
"At 6AM this morning and further to the DDOS attack we experienced yesterday evening, we received an increased level of traffic against the new IP address we provisioned for customers.
As such, we have now initiated null routing of the bad traffic at our upstream provider’s core gateway switches to further mitigate the traffic flow and remove the issue.
At this time the service will be intermittent and affecting a selective set of customers; however we are all working to mitigate the issue with the upmost priority"
Now I know what null0 is from my cisco studies but surely this method of blackholing routes based on a source and destination prefix seems a bit basic? i assume this is what they mean. Wouldn't they have been better off with IDS/IPS? i mean isn't that what its ment to do protect from these types of attacks? Is this type of response they have implemented normal?
Wasn't sure where to post this so I hope this is the right place. My domain hosting company has been down for a couple of days now as they sufferred a DDOS attack. I don't know much about it as all they do is provide me with the space for my website.
They basically told me
"At 6AM this morning and further to the DDOS attack we experienced yesterday evening, we received an increased level of traffic against the new IP address we provisioned for customers.
As such, we have now initiated null routing of the bad traffic at our upstream provider’s core gateway switches to further mitigate the traffic flow and remove the issue.
At this time the service will be intermittent and affecting a selective set of customers; however we are all working to mitigate the issue with the upmost priority"
Now I know what null0 is from my cisco studies but surely this method of blackholing routes based on a source and destination prefix seems a bit basic? i assume this is what they mean. Wouldn't they have been better off with IDS/IPS? i mean isn't that what its ment to do protect from these types of attacks? Is this type of response they have implemented normal?
I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
Comments
-
Options
networker050184
Mod Posts: 11,962 Mod
What would you expect the IDS to do that a null route wouldn't? The traffic would still have to get to them for something like that to work. At that point the damage is already done. Null routes upstream can stop the traffic from ever getting to you.
Null routing at the upstream is pretty standard procedure for DDOS mitigation. You may lose some legitimate traffic as well, but its worth it.An expert is a man who has made all the mistakes which can be made. -
Options
swabbies
Member Posts: 29 ■■■□□□□□□□
Larger providers will either invest in their own DDOS mitigation gear from companies like Arbor networks and radware. Or they will outsource that function to the ISP or a 3rd Party such as Verisign to take over routes when they get attacked and clean the traffic.thanks,
Swabbies -
Options
Lizano
Member Posts: 230 ■■■□□□□□□□
DDOS is a pain, doesnt matter how secure your network is, if you have a 10 meg pipe to the internet and you are blocking 10 megs of bad traffic, the traffic is still filling up your internet pipe and causing "an outage". If you are lucky and able to identify a specific source IP of the attack, you can get the ISP to put in an ACL on their edge router for a limited amount time (they dont like doing this and will do it only for a limited time due to CPU usage concerns). The alternative is they can null route your IP (the destination IP, hopefully you dont have anything important resolving to this IP), they prefer the null route way but if you are resolving something important to that IP and cant afford to have the IP null route, you might be able to talk them into putting up the ACL on the edge router. -
Options
Aldur
Member Posts: 1,460
Routing to a null0 interface works good as a reactive procedure, but it is best if you can stop the DDoS attack before it cripples your network in the first place. IPS mechanisms can help, but typical IDP tends to fall short, all the traffic is coming from different sources and typically each source doesn't produce enough traffic by its self to be a threat. Advanced IPS mechanisms such as application layer DDoS protections can also seriously help by being able to classifying malicious sources and and acting upon those individual sources, even though small amounts of traffic is being produce by each host/bot.
However, as Lizano mentioned, if they fill up your upstream connection, it really doesn't matter what your doing on your side. This is true and that's why it's important to have an ISP that employs DDoS protection mechanisms too. The more layers of security you have, the better protected you'll be against DDoS attacks. Still, even at that point, no IPS is perfect, it's just about providing as much protection as possible."Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."
-Bender