Simple fact of the matter: if you are repeatedly getting DDoS'd, then you are, or have done something wrong. Period.

Simple solution: stop doing what is causing you to get DDoS'd. Period.

Unfortunately, taking the high-brow route "But I'm running an anti-spam service that stops spam! It's for the good of the internets!" doesn't warm over spammers. This is just one example. Even if you think you're in the right, you're wronging other customers who share your netblock and UML host here at linode.

Caker's policy is -very nice- and he has to take care of the rest of his customers. I don't know what the individual policies are between the different centers, but Caker & Company may be eating part of, if not all of a LARGE BILL for the bandwidth caused by a DDoS.

you can say that it's a black and white issue, but that doesn't make it so. and it does little to contribute to a thoughtful discussion, imho.

i'm guessing that maybe you are frustrated that someone would even inquire about the nuances of Linode's ddos policy because you imagine that that might mean that said person is in some way unaware of the great service that Caker offers. and that that said person is in some way ungrateful for all that Caker does.

if this is the case, i assure you that someone can be fully aware and appreciative of Caker's efforts and still be interested in engaging in a discussion of how Linode is run.

so, warewolf, would you be willing to cease "yelling" in this thread? i'd like to have a civil discussion.


peace,
david

This still requires HE NOC staff to reconfigure their routers, which costs Linode money. The process as you describe it can't be completely automated because Linode's decision to null route needs to be implemented in HE's routing tables.

All you have done is replace a Linode staffer getting a pager notification, investigating and then emailing HE, with a bunch of software that emails HE instead. Given the infrequency of this kind of problem and the time needed to develop the software, this is probably pretty near the bottom of Linode's to do list.

_________________
/ Peter

It could be automated. I could think of one obvious way; a web site that linode staff have access to to enter/remove null-routes and an automated process on the HE backend to do that.

It's really not a complicated issue in theory. The practice is harder and would require a LOT of UAT testing on non-live networks before rolling out to production. This is probably more work than HE want to do, even though it's potentially useful for a lot of their customers.

No, the implementation of the null route can be automated on the HE end.

The part I wouldn't want to automate is the decision to null-route a device in the first place! I'd prefer a human to make that decision.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

The internet is a hostile environment, rich with people who have the resources to DDoS lowly little Amazon.com, eBay, and Yahoo off the face of the internet. And they've done it. All they need is a reason to do so. Unfortunately the reality of the situation is just that black and white. The gray area is what the definition of "wrong" is. It could be a multitude of things, from being proactive and running an anti-spam service that actually works, running a website that has compromising photograps of someone's significant other, taking over a channel on IRC, taking someone's IRC nickname on a network that doesn't have a "nickserv", proactivly taking down massive botnets that provide DDoS capability, taking down websites that are compromised and serving malicious code that turns Joe Consumer's Unpatched Windows Box into a DDOS zombie, etc etc.

I'm not frustrated at someone inquiring about the way Linode is run, or the policy. I'm explaining why what a lot of people are asking for in this thread is impossible and impractical, and providing a viable and simple solution to prevent DDoS coming your way. Linode is cheap. If you are running a service, or your actions online repeatedly cause DDoS to come your way, then Linode isn't the place for you. That's the point of the three-strike policy. It's an incentive for you to relocate to a service provider (or two, or three) that can provide you with the level of service you require. You need to start shelling out big bucks to buy the WAN pipes that can serve your traffic, and not get saturated by the DDoS traffic you receive.

In the eyes of a Transit ISP (HE.net, l3.net, etc) one man's DDoS is another man's good day of traffic. They simply can't tell the difference. Setting up some kind of automatic system to baseline an IP or netblock's average network utilization will be a maintenance nightmare, and require a lot more interaction with the Service Providers and their Customers. You and I are Customers. Linode is a Service Provider. Hurricane Electric, ThePlanet is a Transit Provider. I'm not blowing smoke, I speak from experience. I am a member of the CSIRC (computer security incident response center) for a US Federal agency that has nearly six hundred thousand public internet IP addresses multi-homed in three separate physical locations through two different transit providers.

It's simple. Don't do things that piss off the people who have the resources to DDoS you off the internet. Your life, and your service provider's lives will be better for it.

I would /not/ want my server at a datacenter that had static routing tables editable by anyone but their NOC technicians.

_________________
Jay Faulkner
http://oldos.org

Well, that *is* simple. Is there a list somewhere that I can use?

James

HE would never allow outsiders to edit their routing tables. The null routing process can't be automated because the people/systems that have to make the decision are not the people who can implement the fix.

_________________
/ Peter

does anyone know if HE uses Juniper routers?

JUNOS SDK announcement:
http://www.juniper.net/company/presscen ... 71210.html

Probably Cisco or Foundry

I think they're a Cisco shop. They certainly use 12000 series GSRs for their core.

_________________
/ Peter

Not sure how I found this thread or why I feel compelled to reply to it, but allowing customers to black hole their own IPs to counteract an attack is not hard or uncommon so long as the customers can establish BGP sessions with their carrier(s).

http://www.secsup.org/CustomerBlackHole/

Does the upstream provider even know if Linode owns the IPs they're requesting null-routed?

The netname for my node's IP is NETBLK-THEPLANET-BLK-6. ThePlanet will have allocation records of their IPs, but I'm guessing HE would not have a database of that. I'm not even sure how I would tell...traceroute to a router they know is owned by Linode? How would they even decide who is important enough to have in that database? And, would that work if their router is completely overloaded with the DDoS traffic? (I'm honestly curious; is there a 'right' way for HE to identify that an IP owned by ThePlanet is leased to and actively in use by one of their customers?)

Without that, there would be nothing stopping a shady individual working for some company collocated in ThePlanet's facility from plopping someone else's IPs into the null-route table, right?

All of that aside...at least from my experience, getting Level(3) to make a software change is like moving a mountain stone by stone. I would presume HE would be the same way. And my experience has been with very, very minor things. I cannot imagine what it would take to get them to provide an API for null-routing things...

My two cents. *shrug*