From: Jared Richo <jericho-attrition.org>
To: Ted Wandland <twandland@prolexic.com>
Bcc: Lyger <lyger-attrition.org>
Date: Fri, 17 Aug 2012 13:22:26 -0500 (CDT)
Subject: Re: Prolexic DDoS Protection Follow-up


On Thu, 16 Aug 2012, Ted Wandland wrote:

: Thank you for downloading Prolexic's latest Attack Report. I hope you
: found the information in the download helpful and it has you thinking
: about your DDoS strategy and best practices.

Our current DDoS strategy is to shut off our web server and wait for the
kids to get bored. This strategy is largely based on past experience,
where a 41 day DDoS brought the web server to its knees. That same DDoS,
when leveled at our mail and DNS server could not do the trick. Oh, all
three of those are really the same box. Anyway, after days of tweaking our
configuration and adding custom netblocks to our high-end firewall
(iptables), we determined it wouldn't help much.

So then we tried the ever popular 'CloudFlare' service to help protect us.
A day later, after bouts of uncontrollable laughter at how ineffective the
service was, we turned it off. The notion that "we will protect against
attacks vs your A and CNAME records" being a real and viable solution is
comedy gold. Apparently, attacks are still launched against an IP address!
Who knew?!

Finally, we were given a high-end anti-DDoS device to put on our network.
While it did help to some degree, it wasn't enough to get our poor little
web server back online in a reliable manner. We shipped it back, with many
thanks, and changed our DDoS strategy to this:

10 If DDoS, turn off web server
20 Wait 12 hours
30 If DDoS persists, keep web server off
40 GOTO 20

We found this to be a very effective strategy for us, largely because our
apathy knows no bounds. We basically don't give a shit if people can't
reach our web server.

Jared