Re: looking for pull traffic
On Thu, 13 Nov 2003, Richard A Steenbergen wrote: > The traffic is too short and bursty to be of any benefit, even when you > can successfully filter it so that no other operations are impacted. I think that would be the biggest trick in order to even ratios - keep other services unaffected. I think most DOS traffic is hard to wrangle. > I also stand by my opinion that DoS does not happen without a reason. I happen to agree with that %100. Most of the times I get DOS on my network its either: 1. IRC 2. The EFF #2 doesn't happen that often, but when it does, its sortof entertaining to figure out where/what/why. Most people love the EFF, and are happy to help sort out problems :) #1 happens more often, but I generally tend to keep a good lot of direct customers, and the people targeted are customers of customers. > Those kinds of targets are generally not only engaged in some activity > which invites attack (such as running an IRC server), they are actively > encouraging it by their behavior, and probably should be booted anyways > for other reasons that you just don't know about yet. I've seen a few ISP's who run IRC servers reserve IP blocks for them, and only announce said blocks to peers. Seems like a good way to cut down on the number of people to contact when you have DOS aimed at it. > The only benefit to having a hefty outbound ratio is that you have plenty > of headroom to work with when attacks do come in. Unless you happen to > notice that a large amount of the traffic is coming from certain Asian > Pacific networks, and intentionally peer with them to setup choke points. > :) Good point. I'd be curious to see in terms of percentages, which networks source the most DOS and then keep them on INOC-DBA SpeedDial. I had in fact suggested to a certain Asian Pacific network that we should peer so that when someone on their network did launch a DOS against one of my customers, it would only cause problems there :) Whats next, DOS-NAP?
RE: looking for pull traffic
> > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > > between providers to affect month-over-month or quarterly ratios? > > yes. because if you're a small provider then you only need a small flow > to balance yourself. and the 95th percentile cuts both ways. Depending on your value for "small", wouldn't the minimum traffic requirements for a major network peering relationship stymie this process? 95th percentile for 100-200 mb/s is one thing, 95th for 2-3 gb/s is very different [provider - provider peering, not total capacity]. Maybe I am overestimating peering coordinators here, but I'd like to think I know a few, and more than a few hundred mb/s of DDOS traffic has got to show up somewhere on the radar. DJ
Re: looking for pull traffic
On Thu, Nov 13, 2003 at 04:38:06PM -0800, Tom (UnitedLayer) wrote: > > On Thu, 13 Nov 2003, Deepak Jain wrote: > > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > > between providers to affect month-over-month or quarterly ratios? > > I know a webhoster/provider who consistently takes in 1Mpps DOS attacks, > and I'm presuming that the 95th percentile on that will be fairly high... > > Would I want that? Not especially... Having had a few large DoS-magnet customers behind me (and more than likely being the provider you're talking about :P), I can safely say that they do absolutely nothing to benefit ratios. The traffic is too short and bursty to be of any benefit, even when you can successfully filter it so that no other operations are impacted. I also stand by my opinion that DoS does not happen without a reason. Yes there may be that 1% who gets attacked because they are Yahoo or eBay and are public targets, but it takes a really really special kind of DoS magnet to consistantly receive enough traffic to affect 95th percentile. Those kinds of targets are generally not only engaged in some activity which invites attack (such as running an IRC server), they are actively encouraging it by their behavior, and probably should be booted anyways for other reasons that you just don't know about yet. The only benefit to having a hefty outbound ratio is that you have plenty of headroom to work with when attacks do come in. Unless you happen to notice that a large amount of the traffic is coming from certain Asian Pacific networks, and intentionally peer with them to setup choke points. :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: looking for pull traffic
On Thu, 13 Nov 2003, Deepak Jain wrote: > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > between providers to affect month-over-month or quarterly ratios? I know a webhoster/provider who consistently takes in 1Mpps DOS attacks, and I'm presuming that the 95th percentile on that will be fairly high... Would I want that? Not especially...
Re: looking for pull traffic
On Thu, 13 Nov 2003, Paul Vixie wrote: > > support transit-exchange, there really ought to be a market for suck. apparently there is a huge market for suck > > (anybody have any guesses how much of the current ddos load is driven by > ratio concerns? that is, now that we know spammers are hiring folks to > ddos antispammers, can we finally admit that isp's are hiring folks to > fix their ratios for them by ddosing from larger-provider networks? > viva laissez faire, i guess.) I know of cases that sure looked like this in the late 1999/2000 timeframe.
Re: looking for pull traffic
> Ahh, but are you saying that current blow-based transit pricing is stable? ah. no. current transit pricing is way way lower than a non-bankrupt provider can afford to do it for on an ROI that the public markets would find worthy of their praise. eventually, all kinds of flies are going to hit all kinds of windshields. but there's so much bankrupt asset in the field right now that nobody still knows how much anything really costs them to produce. so it's apparently stable for now. > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > between providers to affect month-over-month or quarterly ratios? yes. because if you're a small provider then you only need a small flow to balance yourself. and the 95th percentile cuts both ways.
RE: looking for pull traffic
> my guess is that when isp's start paying customers for suck in order to > balance their own ratios or to upset other people's ratios, that it will > stabilize at about 10% of current blow-based transit pricing. and that > there will all of a sudden be a lot more ddos'ing, fly-by-night crawlers, > and whatnot than there are today. gads, what a world. Ahh, but are you saying that current blow-based transit pricing is stable? > (anybody have any guesses how much of the current ddos load is driven by > ratio concerns? that is, now that we know spammers are hiring folks to > ddos antispammers, can we finally admit that isp's are hiring folks to > fix their ratios for them by ddosing from larger-provider networks? > viva laissez faire, i guess.) Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent between providers to affect month-over-month or quarterly ratios? DJ
Re: looking for pull traffic
i'm sure search engines like google or altavista or microsoft or yahoo
would happily charge you less for suck than your peers/transits would
(like to) change you for blow. with transit-exchange businesses coming
into existence, and with older peering-exchange businesses willing to
support transit-exchange, there really ought to be a market for suck.
there's certainly no reason for a search engine to pay for their suck;
it's extremely valuable, no matter who they pull it through, big or
small. and it's arguable that quality of suck will be less of a revenue
driver than quality of blow, so arguments of the form "you should suck
through us because we have a better network" aren't very weighty.
my guess is that when isp's start paying customers for suck in order to
balance their own ratios or to upset other people's ratios, that it will
stabilize at about 10% of current blow-based transit pricing. and that
there will all of a sudden be a lot more ddos'ing, fly-by-night crawlers,
and whatnot than there are today. gads, what a world.
(anybody have any guesses how much of the current ddos load is driven by
ratio concerns? that is, now that we know spammers are hiring folks to
ddos antispammers, can we finally admit that isp's are hiring folks to
fix their ratios for them by ddosing from larger-provider networks?
viva laissez faire, i guess.)
re:
[EMAIL PROTECTED] ("matthew zeier") writes:
> Higher powers have decided our 95/5 traffic slit needs to move closer to
> 60/40 (transit pricing).
>
> I'm looking for legitimate ways to generate a significant amount of pull
> traffic, including partnerships with Southern California ISPs.
>
> Thanks.
--
Paul Vixie
Re: looking for pull traffic
DoS yourself? On Thu, 13 Nov 2003, matthew zeier wrote: > Higher powers have decided our 95/5 traffic slit needs to move closer to > 60/40 (transit pricing). > > I'm looking for legitimate ways to generate a significant amount of pull > traffic, including partnerships with Southern California ISPs. > > Thanks. > > > -- > matthew zeier - "Curiosity is a willing, a proud, an eager confession > of ignorance." - Leonard Rubenstein > >
looking for pull traffic
Higher powers have decided our 95/5 traffic slit needs to move closer to 60/40 (transit pricing). I'm looking for legitimate ways to generate a significant amount of pull traffic, including partnerships with Southern California ISPs. Thanks. -- matthew zeier - "Curiosity is a willing, a proud, an eager confession of ignorance." - Leonard Rubenstein
