[c-nsp] ISP response and traffic billing for DDOS

Hock Jim hohockjim at gmail.com
Mon Sep 10 17:23:27 EDT 2007 

Just want to drop a note of gratitude to all who replied me online and offline.

Think the general consensus of this straw poll is that:
1. yes, ddos traffic is and should be chargable, and rightly so, to be
fair to ISPs
2. *simple* filtering of ddos traffic should a ISP obligation, and non-chargable
3. reputable and tier-1 ISPs have chargable DDOS early detection and
remediation services

Thanks everyone.

regards,
Jim

On 9/3/07, Stephen Wilcox <steve.wilcox at packetrade.com> wrote:
> On 3 Sep 2007, at 03:58, Hock Jim wrote:
>
> > Sorry for being slightly off-topic, but hoping to seek some advise on
> > what is typically the case for ISP response in the case of a DDOS.
>
> its fine but check out nanog which is more Internet operational than
> here..
>
> > In the case of a DDOS attack that saturates an upstream, typically:
> > 1. will the ISP charge (based on 95% percentile) for the days or hours
> > where the traffic increased substantially due to attack traffic
>
> 95% means that 5% of traffic is discarded, that amounts to throwing
> away around the top 37 hours of traffic so in the case of your DDoS
> you are going to need to sustain it for a VERY long period for it to
> significantly alter your billing
>
> but the ISP should charge.. there are costs in carrying DDoS traffic!
>
> > 2. will the ISP help to filter out the attack traffic once the
> > source/destination has been identified (without any ISP involvement)
>
> i would sincerely hope so, if you find trouble with any who are not
> try making a post to the nanog list and see if you either get
> responses from anyone with similar experience or hopefully a reply
> from your ISP.
>
> > 3. will the ISP charge for the traffic filter
>
> i've not seen that. i dont see why they couldnt charge but it would
> be in poor taste imho
>
> > We were recently hit by a ICMP DDOS, after identifying the attack
> > traffic through NBAR (why isn't NBAR hardware in Sup720?!?) and
> > Netflow information, our experience with our (tier-one) ISPs have been
> > less than stellar, and were wondering if switching ISPs actually
> > helps.
>
> afaik all the tier1s have dedicated people working on this, i can
> think of most if not all of them. care to drop a name and i'll give
> you a pointer (private if you prefer)
>
> some of those folks are VERY good at what they do too so consider
> they may be able to help you with an attack at the early stages
> without you needing to identify the nature of the attack - their
> tools will be more sophisticated and they can quickly spot the
> malicious looking traffic flowing to you. there are also processes in
> place that will locate and shutdown the attackers, hitting it at
> source rather than needing to rely on a filter for the duration of
> the attack
>
> Steve
>
> >
> > Thanks in advance.
> >
> > regards,
> > Jim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list