On 2016-10-01 16:51, Fredy Kuenzler wrote: [..]
To achieve this I think we need a collaborative community effort setting up a common procedure and define a BGP communitiy with the effect "do not announce beyond Switzerland".
Great initiative! If you need extra hands, don't hesitate to yell...
Did you btw see: http://www.trustednetworksinitiative.nl/ https://www.nl-ix.net/solutions/security-solutions/trusted-routing https://ams-ix.net/technical/trusted-networks-initiative
We should have a Swiss equivalent: - trusted and direct contacts - require BCP38 where possible - proper statistics/monitoring - proper & standardized "You are DDoS'ing" notifications providing Flow info as "proof". - proper & standardized "We put customer in walled garden"
The problem with the latter: VoIP... thus the walled garden needs to not block that due to "emergency services". Thus a throttle and a call to the customer might be needed to inform them...
As for the BGP thing... I thought folks had a deal like that per default for all their prefixes :)
It is after all the reason why quite a few IRC servers live(d) in PI /24....: - always the prefix to local peers - when 'normal' also announce to transit providers
When DDoS comes: - stop announcing to transits - check monitoring/stats tools which local peers are sending crap traffic and kick them hard
Now, the more important part is actually that: - You have good relationship with your transit - You have amazing relationship with your local peers: so that you can call them and notify them of the problem - Have proper instrumentation
Of course, when you have that, you might also want to peek at: - RPF / BCP38 kinda stuff and 'force' or 'require' that from your peers thus avoiding any spoofed traffic from them.
Not that BCP38 actually solves anything for these DDoS's as there are just thousands of botted devices involved...
Proper flows everywhere, proper notification and shutdowns at the source are the only way to go there.
And that will involve people calling helpdesks because: - their botted host is sending too much traffic making "The Internet Slow" and them complaining - they are disconnected, as you caught them participating.
Which might not fly with management in many places as helpdesk == money.
Hence, maybe to cover that at least, having a admin.ch rule, BAKOM maybe, that allows an ISP to "restrict access", eg wall-garden an endpoint that is causing DDOS attack would be a good thing.
Though, does not have to go that high actually, having a general consensus between ISPs that this is the case and putting it in the end-user agreement could be good enough to cover their ass a bit.
Greets, Jeroen