Research: Practical Challenge-Response for DNS

11 March 2019 | Comments Off on Research: Practical Challenge-Response for DNS

Because the speed of DNS is so important to the performance of any connection on the ‘net, a lot of thought goes into making DNS servers fast, including optimized software that can respond to queries in milliseconds, and connecting DNS servers to the ‘net through high bandwidth links. To set the stage for massive DDoS…

DDoS Mitigation Strategies

7 November 2018 | Comments Off on DDoS Mitigation Strategies

Research: Tail Attacks on Web Applications

12 September 2018 | 1 Comment

When you think of a Distributed Denial of Service (DDoS) attack, you probably think about an attack which overflows the bandwidth available on a single link; or overflowing the number of half open TCP sessions a device can have open at once, preventing the device from accepting more sessions. In all cases, a DoS or…

On the ‘web: The Value of MANRS

16 January 2018 | Comments Off on On the ‘web: The Value of MANRS

Route leaks and Distributed Denial of Service (DDoS) attacks have been in the news a good deal over the last several years; but the average non-transit network operator might generally feel pretty helpless in the face of the onslaught. Perhaps you can buy a DDoS mitigation service or appliance, and deploy the ubiquitous firewall at…

Flowspec and RFC1998?

4 January 2018 | Comments Off on Flowspec and RFC1998?

In a recent comment, Dave Raney asked: Russ, I read your latest blog post on BGP. I have been curious about another development. Specifically is there still any work related to using BGP Flowspec in a similar fashion to RFC1998. In which a customer of a provider will be able to ask a provider to…

History of Networking: DDoS

28 November 2017 | Comments Off on History of Networking: DDoS

Another excellent recording by the folks at the Network Collective. Roland Dobbins on the history of Distributed Denial of Service attacks!

On the ‘web: A new way to deal with DDoS

20 June 2017 | 3 Comments

Most large scale providers manage Distributed Denial of Service (DDoS) attacks by spreading the attack over as many servers as possible, and simply “eating” the traffic. This traffic spreading routine is normally accomplished using Border Gateway Protocol (BGP) communities and selective advertisement of reachable destinations, combined with the use of anycast to regionalize and manage…

Reaction: Offensive Destruction of Attack Assets

10 May 2017 | Comments Off on Reaction: Offensive Destruction of Attack Assets

It is certainly true that DDoS and hacking are on the rise; there have been a number of critical hacks in the last few years, including apparent attempts to alter the outcome of elections. The reaction has been a rising tide of fear, and an ever increasing desire to “do something.” The something that seems…

Distributed Denial of Service Open Threat Signaling (DOTS)

3 April 2017 | Comments Off on Distributed Denial of Service Open Threat Signaling (DOTS)

When the inevitable 2AM call happens—”our network is under attack”—what do you do? After running through the OODA loop (1, 2, 3, 4), used communities to distribute the attack as much as possible, mitigated the attack where possible, and now you realist there little you can do locally. What now? You need to wander out…

Blocking a DDoS Upstream

13 February 2017 | 1 Comment

In the first post on DDoS, I considered some mechanisms to disperse an attack across multiple edges (I actually plan to return to this topic with further thoughts in a future post). The second post considered some of the ways you can scrub DDoS traffic. This post is going to complete the basic lineup of…