Whether you may be a large web host, or a small ISP serving a neighborhood; DDOS attacks in India can be extremely problematic and hard hitting. Here are some of the ways you can ensure that you aren’t affected by a lot. All of these solutions assume that you are running BGP. We were able to talk to experts at https://the-indexer.com/ who provided us with this very valuable internet security information. It’s one of the things they specialize in, so it’s safe to say you should take their recommendations to heart.
Preparing for an attack
Do either one of the following things:
- DDOS protection from transit provider – Get DDOS protected IP transit from Tata Communications Ltd.(AS4755). You can use it with other transit providers. This may be expensive by about 30% over normal IP transit but will save your business when you get an attack.When they detect an attack, they will originate the attacked IP pool at all of their edge locations with Arbor filtering devices and run a GRE tunnel from there. Tata has enough capacity to bear 300-400 Gbps of attack. They also have a Chennai location for traffic for attacks originating inside India. Other transit players also offer similar services, but do keep in mind that they may not have the capacities to bear a huge attack. If you frequently deal with attacks, then announcing more specific on DDOS protected upstream(s) can be a good idea.
- Scrubbing solution providers – A cheaper option is to start originating your IP pool during an attack with one of providers offering scrubbing services outside India where transit is cheap and run a GRE tunnel from there. This can often be cheaper. Using BGP communities can help.
Other general tricks
- Null routing with BGP communities – Ask your transit player for support for null routing with BGP communities. After that if you want to blackhole traffic for even a /32 from the source network itself, you can do so by tagging the announcement with [upstreamASN]:666 community. This is great if the attack is on a single customer and it is costing way more for you to bear the attack than you get from the customer.
- Stop announcing your pool – If you are a retail ISP and everything else fails, then you can simply NAT all your public IPs behind the IP on your side from the /30 provided to you from the transit provider. Stop the announcements. Attacks will stop.
As always, automate any solution that you will be going for. You can also try visiting the nearest police station. 😛
I hope that was useful. I am sorry about the lack of posts on this blog. I don’t get enough spare time anymore. 🙁