New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Singapore? Someone has enough money to even purchase a huge amount of bandwidth in Singapore to perform these attacks?
The bandwidth is pretty small (under 100Mbps), it's the PPS that hurts.
Ah, right. >_>
Contact DC/ISP for action?
Same reason how HTTP floods are effective at taking down web servers with literally no bandwidth, pps floods take down routers. Time for some router upgrades?
Already did, I don't expect much though.
We don't have that kind of money so we have something more effective in mind.
Agree, some weeks ago I got more than 1Gbps udp flood generated bye 2 IP in one DC and the next day they contacted me saying that they "will contact the client" and no further update.
The next day I got a syn flood from another DC and they closed the ticket after 3 days :-(
I notice most attack and have a "visibility" of what happens because of the SFLOW/NETFLOW monitoring. Without this I would be blind (as are most of the DC I know).
Most of the attacks are too small to even scalate in the big DC, since they know that blackholing the target you can solve the problem yourself (or your DC/upstream people).
This way we punish the victim and not the culprit
When we got the >3.5Gb udp flood ddos we had to propagate the blackholing to our DC and their upstreams. We had no chance. The BH was enforced for 2 days, we lost the client but really we had to protect the other clients on the same node.
Most SG providers should respond and do something, simply because bandwidth even in low amounts, is expensive here. Can't afford having a rogue box/client around. Let me know via PM if there's anything I can help with.
It's easy to monitor when your scale is small, but once you grow larger (eg. OVH), it becomes difficult to do so efficiently. Especially when you have multi-10GE links, most floods are almost transparent to your "monitoring", it might just be a client bursting bandwidth.
I'm aware of something bad because when a node is under dos nagios send alerts and I usually can't see most of dos looking at the bandwidth because they are under 2-300Mbps
I usually receive nagios allerts because of the packet loss on the node and then look at the sflow monitor. Here I cannot look at the bandwidth because is not effective but I look at the packets (frames) per second, which show you anomaly.
Look at the following screenshots:
here you can see an IP (the red bars) is doing some traffic (more than others)
but since regular traffic don't raise pps I don't care because looking at the following chart I see all is regular (the red bars here are for a different ip, the ip of the previous chart isn't in the top 5 pps destinations)
That's reassuring.