[e2e] fault apportionmant and mitigation

John Kristoff jtk at northwestern.edu
Fri May 18 14:25:03 PDT 2007 

On Fri, 18 May 2007 07:40:42 +0100
Jon Crowcroft <Jon.Crowcroft at cl.cam.ac.uk> wrote:

I have some practical experience mitigating DDoS attacks, but from the
perspective of a DNS service provider.  So my views may not be a good
representation of all DDoS attacks, but I have seen the same botnets
attack other systems and networks than the type specific to what I have
direct operational responsibilities for.

> some questiosn though:
> botnets - 
> i) are they clusteed on certain ISPs/ ASs and 

Very often so.  Very large national home Internet service providers
are common sources and sometimes a particular botnet is often made up
of many sources from a handful of them.  However, in my judgment these
large providers are not necessarily seeing disproportionate numbers
of bots to any other sector.  Same goes for every other sector/AS,
they seem to be generally representative of their size.  Response,
the  ability, willingness and capability to mitigate can differ widely
however.

> iv) dos target : is it mainly server or is it as often topological attacks?

Almost always I see that packet floods are destined to a specific end
system that represents some user/customer server (usually http) or their
DNS service.  The target being directly related to the victim that the
attacker is (almost surely) being paid to attack.

> v) ditto scanning
> 
> vi) when ISPs shut things down near a source, what is th sequence of take down
> actions (detect/inform/warn/blackhole etc etc) and what are the costs of false
> positive

Often it is either:

  detect/verify report-> filter/blackhole -> wait for complaint

or

  detect/verify report -> filter/blackhole -> notify

> vii) how often is source spoofing an issue (e.g. would loose source routing make
> it worse much really?:-)

It happens, but not that common in the attacks I've seen (out of the
last dozen I can recall mitigating, maybe twice it happened and in those
particular cases I'm thinking of, they were coupled with a non-spoofed
packet flood attack and the spoofing was easy to detect and filter).

John

More information about the end2end-interest mailing list