[nsp-sec] Persistent and escalating DDoS against the Norwegian academic library system provider
Roland Dobbins
rdobbins at arbor.net
Wed Apr 8 05:54:56 EDT 2015
On 8 Apr 2015, at 16:26, Rune Sydskjor wrote:
> Even more rate limiting against 129.241.16.62
Aggregate rate-limiting during an attack is the worst thing you can do -
it simply ensures that the programmatically-generated attack traffic
crowds out the legitimate traffic.
Putting some basic tACLs in place based on the protocols/ports actually
being used will keep out-of-policy stuff like the SSDP off the site.
Since what you're describing doesn't involve spoofed sources at the
target end, posting a list of source IPs by ASN would be helpful.
For the layer-7 stuff, start with a reverse-proxy farm in front of the
Web servers, and some log analysis to block traffic easily identified as
illegitimate.
For the more complex stuff, there are commercial solutions/services
which can be used to deal with that [full disclosure, I'm employed by a
vendor of such solutions].
But if you start with the above, you'll be able to deal with the bulk of
the attack traffic, which will make things easier.
Have a look at the recommendations in this preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
Again, the key to getting assistance from other operators is to post
source IPs with ASNs for the non-spoofed traffic (from the target end;
i.e., the SSDP flooding and the http stuff).
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the nsp-security
mailing list