
DDoS Attacks: Best Practices for Prevention and Response - kungfudoi
https://insights.sei.cmu.edu/sei_blog/2016/11/distributed-denial-of-service-attacks-four-best-practices-for-prevention-and-response.html
======
hueving
These points are so high level and obvious that this is basically useless:

>Locate servers in different data centers.

>Ensure that data centers are located on different networks.

>Ensure that data centers have diverse paths.

>Ensure that the data centers, or the networks that the data centers are
connected to, have no notable bottlenecks or single points of failure.

Getting Robbed: Best practices for Prevention and Response

* Don't carry all of your money with you at all times.

* Don't advertise that you're carrying large sums of money.

* Have enough money that getting robbed doesn't really affect you.

* Pay someone else to do your errands so you're not at risk.

~~~
gbuk2013
I work for a DDoS protection company and while the advice in the article is
indeed high level, it is exactly what we do.

    
    
      - buy a ton of network capacity in multiple locations around the world
      - route incoming traffic to different locations at BGP level
    

This is really the only way to reliably cope with modern volumetric attacks
right now.

On top of that we:

    
    
      - scrub the traffic using using some expensive fancy appliances(*)
      - employ a bunch of very skilled people to manage it all and provide support
    

This is what you need to protect against protocol / application level attacks.

* which we get a very good deal on by virtue of making said appliances :)

~~~
bogomipz
>"buy a ton of network capacity in multiple locations around the world"

There are estimates that the Dyn attack was 1.2Tbps. What provider do you work
for that can absorb that?

>"scrub the traffic using using some expensive fancy appliances(*)"

Does scrubbing work with a bunch of randomized source ports and source
address? How do you find the "signature" in that to scrub? It was my
understanding that the traffic in the Dyn attacks was indistinguishable from
legitimate traffic. Can you explain how traffic scrubbing works in such
scenarios? Or do you just drop stuff on the floor?

~~~
dgemm
Yes it is possible. For example, uniformly randomized ports and addresses
_are_ a signature - if you study real traffic you find it doesn't look like
that.

A lot of smart people have spent a lot of time thinking about this problem.

~~~
lucb1e
Well sure it's a signature of being under attack, but is there also a solution
to whom you are going to block and whom you are going to send a response to?
That is not immediately obvious to me when packets have random source IPs,
ports, query IDs and normal-looking domains.

~~~
gbuk2013
See my answer to brownbat's questions above.

------
lima
Google cache:
[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://insights.sei.cmu.edu/sei_blog/2016/11/distributed-
denial-of-service-attacks-four-best-practices-for-prevention-and-
response.html&num=1&strip=1&vwsrc=0)

~~~
hamilyon2
Does anyone else notice irony.

~~~
dgacmu
If you'd like more: I'm a professor at CMU, and my office is currently offline
because someone decided to throw 5gbit/sec at my machine starting last
Thursday. CMU's response - which I can't really fault, given that my office is
not geo-distributed - was to filter inbound traffic at our upstream provider.
No Internet for me; I'm back on the wifi. :)

~~~
jlgaddis
You should send your infosec department a link to this article. <g>

------
AgentK20
Unfortunately, all of these "Best Practices" are "spend more money," which
effectively means the attacker wins. They're forcing you to spend more money,
even if they're not attacking you now/recently. Would love to see more things
that reference open source mitigation software and such like that, e.g.
tossing a hardened nginx in front of your Tomcat server, stuff like that.

Granted, at some point, you're going to have to spend money to mitigate the
attack no matter what, but if mitigation of DDoSs becomes entirely focused on
"Go with a big centralized provider" or "Spend lots of money to mitigate the
attacks," we end up in a much different Internet.

~~~
dorianm
Cloudflare is free, so there is that :)

~~~
AgentK20
True, and while Cloudflare is a great company, putting all our eggs in one
basket isn't particularly wise. Not saying that this'll happen, but we've seen
"great companies" that were great while there was strong competition, but
eventually when they became the monopoly began to strangle out anything that
they were against. Protection providers like Cloudflare would have enormous
power to simply kick out a user for being "too costly to host," like Akamai
did to KrebsOnSecurity, and then you'd get destroyed by attacks.

~~~
dx034
Krebs didn't pay akamai. It will be similar on cloudflare. If you're on a free
plan, they will have a limit on what they will defend for you. Layer 3/4 and 7
attacks are only covered in business plan, but if you use this plan (which
likely makes sense for many due to other features), I'm pretty sure they won't
throw you out.

Mitigating DDos is one of the main selling points nowadays. That's why OVH
wrote so much about the huge attack they defeated (and they didn't name the
impacted clients), Cloudflare offered Krebs to host him (he refused) and other
providers add scrubbing centers.

I actually think it's rather cheap to defend against DDos if you're a small
company. Large companies will have it harder as they have typically more
complex requirements and cannot just shift everything behind cloudflare or
similar services.

~~~
dorianm
The CEO of Cloudflare talked about it at Black Hat[1], and for instance they
protected an Hong Kong voting website for free while it was under heavy DDoS
attacks.

[1]: [https://www.youtube.com/watch?v=SWFX-
zEYwN0](https://www.youtube.com/watch?v=SWFX-zEYwN0)

------
AndrewStephens
Well I finally got the article on DDoS attacks to load (I haven't been this
put out since it raaaained on my wedding day). I didn't find it particularly
illuminating.

> Deploy appropriate hardware that can handle known attack types and use the
> options that are in the hardware that would protect network resources...

> If affordable, scale up network bandwidth...

> There are several large providers that specialize in scaling infrastructure
> to respond to attacks...

This advice all seems rather obvious.

------
nailer
15 years ago: wow DDoS attacks are a thing. ISPs need to implement egress
filtering.

Now: wow DDoS attacks are still a thing. ISPs need to implement egress
filtering.

A consumer internet user who visits baidu doesn't need to be flooding an anti-
censorship project's github page.

A consumer internet user with an internet-of-shit camera doesn't need to be
hitting dyn that frequently.

ISPs need to coordinate and rate limit customers towards something that looks
like reasonable traffic.

~~~
erikb
Do you know that there are people who actively fight against ISPs filtering
the internet?

~~~
citrin_ru
People usually fight against filtering which limit legitimate usage (like
filtering port 80 to prevent hosting web-site at home). I doubt that anybody
fight against RFC2827, but there are still many ISP which don't implement
this.

------
lossolo
As someone that experienced DDoS which made whole leaseweb feel it (site i was
operating was on servers in leaseweb), I can tell you one thing.. Unless you
are ddosed by someone from their home connection or one server you need
professional DDOS protection. No guide will help you here, you probably don't
have the pipe big enough in case of UDP flood and don't have enough resources
in case of sophisticated TCP attacks.

If you only want to protect your website then go for cloudflare pro, it will
be enough for 95% of ddosers. If cloudflare is not enough then you need
thousands or ten of thousands of dollars to get protection.

~~~
dx034
Do you know if anyone has ever been kicked from cloudflare pro because the
attack was too large?

I'd guess that they're one of the largest companies providing DDos defenses.
I'd guess if they can't handle it there aren't many more that could. But don't
know if that has ever happened.

------
dogma1138
They might want to consider implementing a few of those controls.

~~~
CiPHPerCoder
Sadly, just because you know what the best practices are doesn't mean your
university's IT department will let you implement them.

Same can often be said if you replace "university" with "company".

Internal political problems are beyond NP-hard.

~~~
seanwilson
> Sadly, just because you know what the best practices are doesn't mean your
> university's IT department will let you implement them.

The common saying is "the cobbler's children have no shoes".

------
cft
I was hoping that ipv6 would help with the attacks from non-spoofed IPs: each
DDoS participating device would get a permanent sticky IP address, and there
would be a global list of blacklisted IP addresses maintened by a neutral
organization, such that these IPs would get null routed by transit carriers.

~~~
jlgaddis
The routing tables would fill up very, very quickly.

Not to mention that IPv6 doesn't really help solve the "ISPs aren't dropping
invalid packets as they are received" problem.

------
based2
[https://tools.ietf.org/html/rfc2827](https://tools.ietf.org/html/rfc2827)

[http://www.bcp38.info/index.php/Main_Page](http://www.bcp38.info/index.php/Main_Page)

------
criddell
This is offtopic, but did CMU ever face any consequences for their attack on
Tor a year or two ago?

~~~
tomschlick
Why would they? From what I remember (helping to de-anonymize users) they
didn't do anything illegal...

~~~
criddell
University studies often have to meet an ethical as well as legal standard.

~~~
tomschlick
Could still be construed as ethical so long as they were focused on catching
anonymized criminals (CP, scammers, etc). Of course that kind of research can
lead to others using the same strategy to de-anonymize all TOR users.

------
andhix
I have no idea, still learning about ddos attack and how to protect from it.
Just call ddos expert, i thought.

------
sriehl
archive.is link with all formatting:
[https://archive.is/ASz1w](https://archive.is/ASz1w)

------
IHG
Make sure you understand your infrastructure and web deployment. Lock this
down as tightly as possible. Use a 3rd part to protect your web infrastructure
such as Incapula

------
assafridman
Spread over several servers in several continents , limit each server to serve
its own region and use geo located dns

if you dont want to waste money on the server, just use incapsula

------
velox_io
So are there any ways to mitigate a DDoS attack, aside from throwing money at
it by buying a large pipe? Null routing/ taking the site offline doesn't sound
like a solution.

------
breaker9691
the best way to prevent the ddos attack is using money, there're nothing you
can do more than money can.

------
0xmohit
I'm not so sure if the _best practices_ for prevention would be of any good.

------
Demcox
Oh the irony....

------
jester23947
So how do you prevent volumetric attack?

~~~
Kephael
You must have excess bandwidth in order to absorb the flood or your upstream
transit provider(s) need to filter the attack.

