On Wed, 6 Jul 2016 10:45:40 -0700 alvin.ml@xxxxxxxxxxxxxxxxxxxxxxx wrote: > > hi antonio > > On 07/06/16 at 05:36pm, Antonio Prado wrote: > > > > at BGP level, when an AS is DDoSed with a 10Gbps rate (or maybe more), > > 10Gbps ( bits/sec ) is not that big of an ISP but still not ez to DDoS > > it seems, some of the ISPs like to use RTBH for DDoS mitigation, but, > that'd still imply they received the DDoS packets in order that they > can /dev/null it ... > > i wonder why they don't traceroute back to the original attacker > and have the local law enforcement come knocking on the door .. > i ISP know where all the packets is coming from that they in turn > fwd to the next hop Because it's distributed. Mayhap they send bad packets 'from' your IP to servers around the world, and those servers reply to your IP; this type of DDoS could be mostly prevented by ISPs rejecting packets that could not have originated from their networks. Mayhap they use a 'bot farm. The only real positive action one can take is to drop, without logging, INVALID packets as early as possible: in the first rule in mangle:PREROUTING. They are not, and cannot be, associated with a valid conn, cannot be sent anywhere and, thus should be dropped as soon as they are identified as INVALID. (In fact, there ought to be a netfilter /proc or /sys control to do this, akin to the 'drop ICMP ECHO packets' control.) NEW packets can be rate-limited, perhaps to 100%-200% of normal expected traffic. Outside that, the only recourse is to ask the upstream provider to rate-limit downlink data to you until the DDoS subsides; this will only reduce the load on your server and free up some bandwidth. Years ago, I was asked to put a load on a web server (vBulletin); the admin was tracking down a problem. With a mere 3Mb/s uplink, I was able to bring the server to its knees using my Debian desktop system. It doesn't necessarily take much to DDoS a system; there was a popular firewall system on which bootup and shutdown could be delayed (or frozen) with a mere 51k byte/s traffic load on any interface. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
