[opendais]

I think the fundamental problem is cost. Much like raising an army, protecting against things like DDoS on the scale of 10Gbps+ costs real money.

Services like Cloudflare, Blacklotus, etc. act like insurance companies [e.g. You have a pool of X services and only Y are getting attacked at a time]. This gives them an economy of scale others can't match on their own. I'd like to see a non-profit public internet security service tbh but I don't think it'd raise the capital it would need to get to the level Cloudflare is at.

Provisioning something like this yourself is going to probably cost you $450 per Gbps of mitigation per month. HE is selling transit for $.45/Mbps/month, for instance. Then you'd need to clean it. HE can't provision this instantly or on demand, so you'd need to have it built out and semi-permanent [e.g. long term contract for 100s of Gbps].

You can create multiple targets too but the costs are still roughly the same vs. one big target. [e.g. 10 x 10 Gbps is pretty much as effective as 1 x 100 Gbps and similar costs]

[rdl]

I think one of the useful things to point out is how the $2-5/Mbps transit ($0.45/Mbps transit is probably not realistic in enough places) is billed -- generally, 95th percentile of the higher of inbound or outbound.

So, a site which has a lot of outbound traffic (most web servers) essentially has an equal amount of "free" inbound capacity available. You could sell this to someone doing web crawls, or online backups, or something, but DDoS (if you end up paying for it) is essentially all inbound, too.

The best position to absorb DDoS, if you're not a specialty firm, is to have a huge amount of outgoing web server traffic, huge systems built for that, and really great cooperation with your upstreams to push out filters as quickly as possible. The problem is this only really works against pure resource-consumption DDoS; if people realize a 50Gbps syn flood doesn't affect you too much, they'll move up the stack to layer 7, and then custom-tailored layer 7.

For a site which is huge and constantly being attacked, I could see this becoming a core competency (USG?) -- for anyone else, it's probably something you could outsource.

There are drawbacks to outsourcing your network, but if you're already hosted in the cloud, those drawbacks are mainly the incremental reliability of your outsourced edge provider -- pick a good one. If you're not in the cloud, you need to be very clear what your security model is -- I definitely wouldn't trust bitcoins to any outsourced service provider operating above the atoms level (i.e. a cage in a colo, with no security dependency on anyone running anything above that), but DDoS mitigation is critical for that kind of business -- the optimal situation is to have "untrusted" frontend nodes handling all your incoming traffic, with DDoS mitigation as a service, WAF, etc. probably outsourced, and then application-specific security on your own infrastructure. The DDoS layer can, if it fails, DoS you, but you can switch away from it. The DDoS layer can't actually subvert your application beyond that.

[JoshTriplett]

Typically, you pay a fixed extra cost for a gigabit or 10Gbps link, but beyond that you only pay for traffic. So, a DDoS will cost you a fair bit, but having the spare capacity to weather one shouldn't cost you all that much. (Depending on just how much you expect to get hit by.)

I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.

[devicenull]

> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.

No, at this point the machines are most likely 'innocent' and are just running exploitable services (usually NTP, DNS, or chargen). Despite widespread knowledge of the vulnerabilities of these protocols ( http://openresolverproject.org/ http://openntpproject.org/ ) getting people to actually fix their systems is hard. Since the systems themselves aren't compromised, investigating each one is not really a good use of your time.

These attacks rely on the ability of the attacker to spoof IP addresses. Tracking down the sources of these spoofed packets would be more useful, but this requires the cooperation of the transit providers. It will also lead back to providers that make money by allowing spoofed traffic in the first place. Ecatel is the well known one right now, they are very popular in the 'booter' business.

[opendais]

I suppose I wasn't very clear then. Ah well, life.

> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.

https://securityledger.com/2013/04/cyberbunker-owner-arreste...

They do. It just has to be large enough.

[JoshTriplett]

I'm not just talking about finding the originator of the attack; I'm talking about finding and cutting off all the vulnerable systems that facilitate the attacks.

[equalitie]

"I'd like to see a non-profit public internet security service tbh" - that would be us, opendais :) We do open source digisec solutions for civil society and independent media. Check out the DDoS mitigation service https://deflect.ca.

[opendais]

Cool.

https://github.com/equalitie looks like you are open sourcing some of it as well? Or all? :)

[equalitie]

all of it!

https://wiki.deflect.ca/wiki/Deflect_DIY

we have principles too :) https://equalit.ie/declaration-distributed-online-services/