No, there are multiple sources. They meant destination, as in where in their network was the attack targeted. In short, which IP address in their network.
You should read the article.
Justin Bieber uses the internet, I'm going to stop using it now.
Correct. It seems that they just pulled the cable instead of using the firewall to filter and rate limit.
Terrorists use Nokia Cellphones, we should not use Nokia phones.
Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.
You comparing a kid that worked his rear end off to become what he is now to the corrupt ANC?
By using your logic, you shouldnt drive around in anything, eat anything, drink anything because the ANC is involved somewhere along the process. Or where is that line that you draw? I find this logic weird.
One does not use a firewall to mitigate a DDoS attack.
Yeah, if the firewall can handle it then its not really a serious attack. The computational overhead of stateful inspection usually results in the firewalls being one of the first to fail.
Yeah - I doubt that the just pulled the plug on the server. The attack traffic would normally continue regardless and carry on overwhelming the rest of the network.
Very interesting, thanks for this information!
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.
If you set that on the firewall, you will still be receiving an extremely large amount of data travelling to your website. The fact is, there is no way for you to detect all the attacking sources at such a large scale. say,set this rule on your firewall for 10 000 attacking sources, how will you do that in minutes? Remember, you need to determine every IP that is attacking, which, fair enough, can be determined easily with some network monitoring tools, and this from a series of different IP ranges. So you set your rules, the attacker changes the proxy that the attack is generating from(given, that it is a completely controlled movement and is not run via windows viruses), leaving your rule pointless.
You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack, and mitigation has to be done before them, on dedicated devices with ASICs designed to perform only this function. They also have to have enough bandwidth (usually tens of Gigabits+) to absorb the attack before cleaning the inbound traffic. There is a reason these mitigation devices (and services using them) are freaking expensive: they are the only thing that can do the job. Lord Nikon6 is right - simple rules on a firewall will be sidestepped by a 12 year old script kiddie, and that's if the CPS or volume of traffic hasn't bombed your firewall before that.
Agreed, even the highest-end firewalls are still based on an architecture of running complex sw on general purpose CPUs, largely on PC based hardware components. On multi-Gigabit networks it doesn't take much to exhaust their processing/forwarding resources with an avalanche of maliciously crafted micro-packets.
Yeah at the extreme no in-line devices, besides the ASIC based core routing switches, will be able to handle the situation. Carrier grade DDoS prevention systems thus sit out of band analysing traffic patterns and once a threat scenario is detected, they orchestrate the core's BGP routing protocol to blackhole the offending flows as close to source as possible.