4

During a DDoS attack even when you successfully stop it at your datacenter the link between you and your ISP will still be saturated and traffic brought to a halt.

In this case what is the best way to communicate to the ISP to block the source IP addresses at the ISP level, surely there must be a better way than to email them or call them?

Exocomp
  • 163
  • 9
  • 2
    Search for RTBH. – Ron Maupin Oct 11 '17 at 15:55
  • I think RTBH is to protect the ISP, not the victim. It will nullroute the victim IP at the victims' ISP routers, not at the attacker's ISP routers. – ThoriumBR Oct 11 '17 at 16:52
  • I looked up "RTBH' as Ron mentioned and came across "Source-based RTBH routing" which looks promising, anyone use that method before? – Exocomp Oct 11 '17 at 17:20
  • @Exocomp RTBH is not used to protect the victim, but the ISP. Emplying RTBH against a DDoS-ed site will effectively cut access to it, creating the ultimate DoS. It signals upstream routers that you don't want to route traffic to the victim, and the victim side goes from being very slow to not receiving any traffic at all. – ThoriumBR Oct 11 '17 at 18:44
  • @ThoriumBR What is "Source-based RTBH routing" then? – Exocomp Oct 11 '17 at 18:47
  • @Exocomp I edited my question to address RTBH. – ThoriumBR Oct 11 '17 at 19:12
  • @ThoriumBR, RTBH is to protect the victim network, not necessarily the victim host. It does not protect the ISP because the ISP has already received the traffic. – Ron Maupin Oct 11 '17 at 20:07
  • @RonMaupin can you elaborate on your previous response? – Exocomp Oct 11 '17 at 20:10
  • Assume you have a particular host that is the victim of a DDoS attack. The attack can completely disrupt or block all traffic coming into your network, even for hosts that are not the target of the attack. RTBH on your ISP can block the DDoS traffic destined to the target host, without blocking all traffic to your network. That may render your target host unusable from outside your network, but the rest of your network should still work. It can also protect the target host itself from some types of vulnerabilities that may be exposed during such high traffic volume. – Ron Maupin Oct 11 '17 at 20:15
  • @RonMaupin I see what your saying. What do you think of source RTBH is there any practical use there? – Exocomp Oct 11 '17 at 20:19
  • @RonMaupin RTBH will protect the victim's ISP if the ISP triggers it upstream. – ThoriumBR Oct 11 '17 at 20:20
  • @ThoriumBR, that has nothing to do with the customer or the customer's network. That is up to the ISP and its vendors. As far as an ISP customer is concerned, RTHB protects its network. – Ron Maupin Oct 11 '17 at 20:23
  • @RonMaupin I don't understand what you mean, if source RTBH can stop the dos attack at the ISP wouldn't that be helpful in mitigating the dos attack? – Exocomp Oct 11 '17 at 20:27
  • @Exocomp, Source RTBH is not often supported by ISPs. Think about it. Routing is normally done based on destination addresses. To route via source addressing requires extra resources. Normal routing protocols only look at the destination address because that points to the next hop in the routing table. To route by source addressing is outside that, and it takes extra resources to take a second look at the packet after the router has determined where to route the traffic. – Ron Maupin Oct 11 '17 at 20:27
  • @Exocomp, "_if source RTBH can stop the dos attack at the ISP wouldn't that be helpful in mitigating the dos attack?_" That is exactly what I am saying. RTBH is to protect your network. The ISP may have RTBH with its connected ISPs to protect its network, but that is a business agreement between the ISP and its vendors, and it has nothing to do with your business agreement with your ISP. – Ron Maupin Oct 11 '17 at 20:30
  • @RonMaupin I can see why ISPs might not want to support it – Exocomp Oct 11 '17 at 20:30

4 Answers4

4

The first D on DDoS means distributed.

As it's distributed, a DDoS victim will likely receive connections from hundreds of thousands of different source addresses, with different ISPs. Not only that, but some attacks makes very hard to tell apart an attack connection from a legitimate connection.

To block a DDoS at the source, you would have to:

  • list only the attacking connections

  • get the source IP

  • find the ISP for that IP

  • find the contact information for that ISP

  • ask them to block the connection to your site

And repeat hundreds of thousands of times.

You will likely be unable to find an ISP contact information, and even if you can find, it's unlikely they will change anything on their networks to help you. They will probably let you suffer. It's best for then to ignore you than to risk breaking something on their networks trying to help you.

Remote Triggered Black Hole - RTBH is a mechanism to black hole destination addresses at the upstream router in the event of a DDoS against any IP address served by the router. It will not save you, either, because it's a mechanism designed to protect the infrastructure from a flood, not the flood victim.

Source Based RTBH have very limited effectiveness, because you have to separate malicious from authentic traffic before sending the offending IPs, and your ISP must have some mechanism for you to send them the malicious IPs. If any attacker learns that you have S-RTBH in place, it could flood your site using, for example, Google Translate, and your ISP would black-hole Google.

ThoriumBR
  • 5,272
  • 2
  • 23
  • 34
  • What do you mean by "If any attacker learns that you have S-RTBH in place, it could flood your site using, for example, Google Translate, and your ISP would black-hole Google", I don't understand how someone would do that ? – Exocomp Oct 11 '17 at 19:15
  • If someone sends a DDoS attack against you, it will want you to be offline. If they detect S-RTBH, they will try to trigger the S-RTBH from every large provider, so your site will effectively lock himself off them. Google Translate is an easy example, just tell the zombie hosts to translate your site to any other language, your trigger will detect the flood, black-list the attacking address, and Google cannot access you anymore. – ThoriumBR Oct 11 '17 at 19:18
  • That's assuming that Google allows them to flood in the first place, most likely Google has a mechanism to stop that. I'm actually not worried about that. – Exocomp Oct 11 '17 at 19:23
  • Google don't care. Google can handle 100M connections to his translate service, your site cannot. – ThoriumBR Oct 11 '17 at 19:26
  • Sending 100M connections through Google translate - are you serious bro? Give me break. Go ahead and try it and see what Google does. They will throw capcha at you all day long or just block you. – Exocomp Oct 11 '17 at 19:30
  • 1
    @Exocomp it seems you don't know how a DDoS is made. The attacker does not control one connection, in one computer. It controls an vast army of innocent computers, security cameras, or internet connected door-bells. For Google, they appear like common requests, and nobody can tell an attacker instructed one million zombies to access Google Translate. Google can't tell which connections are from the attacker, so neither can you. – ThoriumBR Oct 11 '17 at 19:53
  • I understand that but you are immediately assuming the worst possible ddos there could be. For someone to infect a whole lot of clients and then have them make a whole lot of requests to some big shot like google to take down someone can't be that probable. I'm more interested in a practical solution, or simply more options and source RTBH seems to me like it has lots of potential but as I have not used it in practice I can't speak through experience. – Exocomp Oct 11 '17 at 20:01
  • Source RTBH have potential, but is not widely used for a reason: the collateral damage can be too big, and the benefits are too small. As TomTom said, the most effective way to defeat a DDoS is throwing more bandwidth at the problem, having a large system taking the hit for you, like CloudFlare. – ThoriumBR Oct 11 '17 at 20:05
4

NO chance. DDOS do not have a small number of Source IP's and you would have to distinguish real and fake traffic. And there is no infrastructure on ISP level to communicate this, including providing some sort of authentication (so it is not abused).

Your ONLY choice is to use something LIKE Cloudflare - distributd proxies that will do the check and mitigate the damage. Hide behind someone strong enough to take the load.

TomTom
  • 50,857
  • 7
  • 52
  • 134
0

In many cases, you're resigned to a "Remotely Triggered Black Hole" (RTBH) or a "null-route". This effectively drops all incoming traffic to the destination prefix as soon as possible to prevent saturating downstream links. It's possible to have a BGP speaker on your end talk to your ISP and trigger this automatically without interacting with a person at your ISP.

However, depending on what you're being hit with and how much your ISP likes you, you might be able to solve the issue without completely black-holing your hosts. You should determine what the attack traffic consists of and if you can implement simple ACLs to filter this upstream. A great example of this is when DNS/SNMP/NTP/etc reflection attacks were common a handful of years ago the rules to filter these attacks were very simple (drop udp 53 inbound, etc). I was able to talk to my upstreams (at the time Telia and Hurricane Electric) and get them to implement these simple rules closer to their core where the pipes were much larger.

John Marion
  • 1
0

Usually DDoS attacks originate from a hacker in control of a botnet or network of zombie machines. The attacker will issue a command to all the bots instructing them to make requests for a particular resource / URI. The large number of requests overwhelms the server and takes it down.

The genius of DDoS attacks stems from the fact that the traffic comes from potentially Legitimate IPs of real customers.

Not to mention large enough DDoS attacks can employ a crazy amount of different IP addresses In other words, there is no one IP to block. Or two, or three, or even four.. There are hundreds or thousands of unique IPs.

Blocking large number of IP addresses is not always desirable. By blocking large number of IP addresses due to a large DDoS, you could be blocking a large number of legitimate users who might share those IP address as an undesirable side effect (e.g. Tor, proxy users, universities, shared household, ISPs that use NAT to save public IP addresses).

To prevent attacks like this consider using a network testing service like Ixia that includes security testing, network infrastructure and wifi testing

Mika Wolf
  • 169
  • 3