[c-nsp] ISP response and traffic billing for DDOS

Stephen Wilcox steve.wilcox at packetrade.com
Mon Sep 3 06:09:01 EDT 2007 

On 3 Sep 2007, at 03:58, Hock Jim wrote:

> Sorry for being slightly off-topic, but hoping to seek some advise on
> what is typically the case for ISP response in the case of a DDOS.

its fine but check out nanog which is more Internet operational than  
here..

> In the case of a DDOS attack that saturates an upstream, typically:
> 1. will the ISP charge (based on 95% percentile) for the days or hours
> where the traffic increased substantially due to attack traffic

95% means that 5% of traffic is discarded, that amounts to throwing  
away around the top 37 hours of traffic so in the case of your DDoS  
you are going to need to sustain it for a VERY long period for it to  
significantly alter your billing

but the ISP should charge.. there are costs in carrying DDoS traffic!

> 2. will the ISP help to filter out the attack traffic once the
> source/destination has been identified (without any ISP involvement)

i would sincerely hope so, if you find trouble with any who are not  
try making a post to the nanog list and see if you either get  
responses from anyone with similar experience or hopefully a reply  
from your ISP.

> 3. will the ISP charge for the traffic filter

i've not seen that. i dont see why they couldnt charge but it would  
be in poor taste imho

> We were recently hit by a ICMP DDOS, after identifying the attack
> traffic through NBAR (why isn't NBAR hardware in Sup720?!?) and
> Netflow information, our experience with our (tier-one) ISPs have been
> less than stellar, and were wondering if switching ISPs actually
> helps.

afaik all the tier1s have dedicated people working on this, i can  
think of most if not all of them. care to drop a name and i'll give  
you a pointer (private if you prefer)

some of those folks are VERY good at what they do too so consider  
they may be able to help you with an attack at the early stages  
without you needing to identify the nature of the attack - their  
tools will be more sophisticated and they can quickly spot the  
malicious looking traffic flowing to you. there are also processes in  
place that will locate and shutdown the attackers, hitting it at  
source rather than needing to rely on a filter for the duration of  
the attack

Steve

>
> Thanks in advance.
>
> regards,
> Jim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list