DDOS, IDS, RTBH, and Rate limiting

[rdobbins at arbor.net (Roland Dobbins)]

On 9 Nov 2014, at 10:37, Jon Lewis wrote:

> I'm sure it's not always the case, but in my experience as a SP, the 
> victim virtually always did something to instigate the attack, and is 
> usually someone you don't want as a customer.

This may be a reflection of your experience and customer base, but it 
isn't a valid generalization.  Legitimate customers are attacked all the 
time, for various reasons - including unknowingly having their servers 
compromised and used as C&Cs by miscreants, who're then attacked by 
other miscreants.

But to say that attacks are 'virtually always' provoked by customers 
themselves simply isn't true.  DDoS extortion, ideologically-motivated 
DDoS attacks, maskirovkas intended as a distraction away from other 
activities, simple nihilism, et. al. are, unfortunately, quite common.

> When I worked for a cloud hosting provider, the DDoS "victims" tended 
> to be fraudulent signups who were doing malicious or anti-social 
> things on the net and were not paying customers anyway.

Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true.  
Compromised machines are 'attractive nuisances', which is yet another 
reason it's important to have visibility into your network traffic (it's 
easy to get started with NetFlow and open-source tools).

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>