dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
10
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to ubermoe

MVM

to ubermoe

Re: DDoS Attacks and Service Providers

One problem is that a DDoS is exactly what the name implies, Distributed. Since the traffic is coming from many different IPs and the source IP may even be spoofed it can be difficult to tell what is legitimate traffic and what is part of the DDoS. So you need to at a minimum know which IPs to block otherwise you are simply shutting off the legitimate traffic.

When you ask why they allow 10X traffic to pass to the link, you are really asking why they can not tell legitimate traffic from traffic that is designed to cause problems, and unfortunately the traffic may not have a "neon sign" that they are a part of the DDoS.

ubermoe
join:2012-09-21
Jordan

ubermoe

Member

TheWiseGuy See Profile and Coolbrz See Profile,

I forgot to mention a little issue that happened in the first 24 hours of the attack. The link was fully utilized for about 45 minutes then they started to notice abnormal bursts. They thought the issue was solved and the attack is over but here is what happened:

users (customers of X bank) running Internet connection from that provider were able to access services, but users from different ISPs weren't able to access anything. The issue is solved now but do you guys have an explanation for that matter?
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

An ISP can drop all traffic at its gateway routers inbound to the IP address that is experiencing the DDoS, while continuing to route traffic to that IP internally. Of course this drops all traffic from other ISPs both legitimate and packets intended to DDoS the IP.

ubermoe
join:2012-09-21
Jordan

2 edits

ubermoe

Member

beautiful piece of info TheWiseGuy See Profile, but let me understand that. Packets being sent to the gateway inbound for that IP are packets sent from multiple sources including sources from within the ISP network and from different sources, if it's going to drop all traffic intended to enter the inbound gateway interface, this will drop all traffic from all sources including the ISP network. I imagine that traffic as the following:

- traffic from within the network: A1
- traffic from outside the network coming from different sources including the DDoS traffic: A2

A1 and A2 are going to enter the inbound interface in order to be routed to an outbound interface after matching QoS/ACLs/etc and then to the company's gateway router. In specific, that traffic entering the inbound interface of the ISP's gateway is going to be A1+A2 and dropping traffic that traffic will make all packets from all sources to be completely discarded.

If none of what I mentioned is correct, what do you mean by "continuing to route traffic to that IP internally". do you mean traffic known to be generated from within the ISP's network?

Really interesting to know and I hope I am not making it complicated.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 recommendation

TheWiseGuy

MVM

Take a look at the above picture from a Cisco article.

Assume the IP being DDoSed is in AS(autonomous system) 65500. An ISP could drop all packets at the Border Gateway Routers labeled A and/or B that are being sent to the IP being DDoSed while still routing the packets within its AS. So in this case, when ISP A or B tries to send from Router D or E to the IP that is being DDoSed, routers A or B drop the packets.

An ISP can fairly easily drop *all* packets intended for a specific IP at any of its routers interfaces, not just the Border Gateway Routers but when it does that it blocks legitimate as well as unwanted traffic.

ubermoe
join:2012-09-21
Jordan

ubermoe

Member

Thank you so much TheWiseGuy See Profile for your time. Your explanation was totally clear and I get it now.

Appreciate it dude