On Mon, Jul 16, 2018, 19:39 Walt <neurobot...@protonmail.ch> wrote: > > I'm not sure what would be useful for when we are the target of an > attack. It seems to me that when the attack is going on, our bandwidth is > so saturated that I'm not sure what we can do except to wait it out or to > pay our provider to help mitigate the attack. >
This is pretty much the gist of it. One cannot stop this class of DDoS from the customer's end. There are a variety of solutions involving reverse proxies and big, scalable clusters, but the fact is if the attacker knows your real IP address, they can food your residential or small business connection easily. On the other hand, there are steps that we can take to limit any unwitting > participation in an attack from our side. For example, I have already been > blocking all incoming UDP, TCP, and ICMP packets from the internet that > claim to originate from our IP addresses and all outgoing UDP, TCP, and > ICMP packets to the internet that are not from our IP addresses. > This is a great start. Most recent attacks rely on either a fleet of many hacked IoT/"Smart" devices to generate a bill of coordinated traffic from thousands or even millions of networks, or they rely on UDP amplification attacks. It sounds like you are taking adequate precautions against publicly accessible assets that might get hijacked, so I'll focus on amplification attacks. UDP amplification is where an unwitting third party (such as yourself) is hosting a UDP service that is capable of responding back with a much larger payload than that which is sent to it. The simplest and most obvious example is hosting an open, recursive DNS resolver. The attacker spoofs a request for a large record (often a TXT entry) using the IP address of the real victim. Your resolver, in return, recursively fetches and caches the answer, then forwards the rather large response to the victim, which, of course, didn't actually make the request and is not expecting this data. The attacker does this repeatedly, and in tandem with a large corpus of similarly misconfigured services hosted by other unwitting third parties. Now tens of thousands of unsolicited DNS responses per second are exhausting the bandwidth of the victim, and the attackers' real address isn't even involved. Similar attacks have used misconfigured NTP servers. Make sure your public, likely-authoritative DNS servers are not publicly recursive for domains you don't control. https://en.m.wikipedia.org/wiki/Split-horizon_DNS With the ever increasing sophistication of ddos attacks, is anything else > we can do in order to keep anything on our network from being used as part > of a botnet or in order to reduce the severity of an incoming ddos attack. > > Walt > > > Sent with ProtonMail Secure Email. > > >