DDOS attack aimed at Absolute Hosting Networks

r00igev@@r said:
Is this the common old amplification attack using fragmented packets? Also is it incoming on International?

Typically its a DDOS vendor who phones up to scrub it for you.:notworthy:
Click to expand...
Lots of cheap IP camera's are involved - check previous post for number of unique IP's
 
r00igev@@r said:
Is this the common old amplification attack using fragmented packets? Also is it incoming on International?

Typically its a DDOS vendor who phones up to scrub it for you.:notworthy:
Click to expand...

Quick question @r00igev@@r - does using the BBR algorithm on a server typically help with a scenario like this when the network its on is being DDoSd?
 
Jason-ZA said:
Quick question @r00igev@@r - does using the BBR algorithm on a server typically help with a scenario like this when the network its on is being DDoSd?
Click to expand...
Don't know as I've never tested it on extremely high congestion. But fq_codel and bbr will help in congested situations. The linux config is two lines. Should default that on all servers.
 
Last edited:
I suspect it is fragmented packets so the first thing the network engineers can do is drop all fragmented UDP packets.

When that has taken the edge off of it you can rate limit fragmented UDP packets to about 200mbs for every 10gbs.

Edit: The Cisco's do that in hardware offload.
 
captainscarlet said:
****. That's a massive attack. Isn't there a firewall product out there to stop these attacks? Or is it just too expensive for you?
Click to expand...
Firewall products aren't capable of dealing with amplification attacks. The methods are upstream black holing or using a scrubbing centre. A scrubbing centre is basically a stack of a hundreds of servers that strips the amplification traffic in layers as a single layer cannot handle the load. I think its about 100k IPs per layer so 1M requires 10 layers.
 
r00igev@@r said:
Firewall products aren't capable of dealing with amplification attacks. The methods are upstream black holing or using a scrubbing centre. A scrubbing centre is basically a stack of a hundreds of servers that strips the amplification traffic in layers as a single layer cannot handle the load. I think its about 100k IPs per layer so 1M requires 10 layers.
Click to expand...
Fair enough. As a follow-up question: can a small to midsized ISP afford a scrubbing centre or blackholing solution large enough to hold off a 30gbps attack?
 
captainscarlet said:
Fair enough. As a follow-up question: can a small to midsized ISP afford a scrubbing centre or blackholing solution large enough to hold off a 30gbps attack?
Click to expand...
No to the scrubbing centre as that is expensive but the blackholing is handled by the upstream Tier 1. Some have APIs for it such as Cogent. You can program that using https://fastnetmon.com/

Edit: The blackholing is part of the IP Transit service so basically doesn't cost extra.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X