Varun Priolkar

How to protect against DDOS attacks in India

Whether you may be a large web host, or a small ISP serving a neighborhood; DDOS attacks in India can be extremely problematic and hard hitting. Here are some of the ways you can ensure that you aren’t affected by a lot. All of these solutions assume that you are running BGP.

Preparing for an attack

Do either one of the following things:

  1. DDOS protection from transit provider – Get DDOS protected IP transit from Tata Communications Ltd.(AS4755). You can use it with other transit providers. This may be expensive by about 30% over normal IP transit but will save your business when you get an attack.When they detect an attack, they will originate the attacked IP pool at all of their edge locations with Arbor filtering devices and run a GRE tunnel from there. Tata has enough capacity to bear 300-400 Gbps of attack. They also have a Chennai location for traffic for attacks originating inside India. Other transit players also offer similar services, but do keep in mind that they may not have the capacities to bear a huge attack. If you frequently deal with attacks, then announcing more specific on DDOS protected upstream(s) can be a good idea.
  2. Scrubbing solution providers – A cheaper option is to start originating your IP pool during an attack with one of providers offering scrubbing services outside India where transit is cheap and run a GRE tunnel from there. This can often be cheaper. Using BGP communities can help.

Other general tricks

  1. Null routing with BGP communities – Ask your transit player for support for null routing with BGP communities. After that if you want to blackhole traffic for even a /32 from the source network itself, you can do so by tagging the announcement with [upstreamASN]:666 community. This is great if the attack is on a single customer and it is costing way more for you to bear the attack than you get from the customer.
  2. Stop announcing your pool – If you are a retail ISP and everything else fails, then you can simply NAT all your public IPs behind the IP on your side from the /30 provided to you from the transit provider. Stop the announcements. Attacks will stop.
RELATED  Lifting after a disc prolapse and SANOG

As always, automate any solution that you will be going for. You can also try visiting the nearest police station. 😛

I hope that was useful. I am sorry about the lack of posts on this blog. I don’t get enough spare time anymore. 🙁

4 Comments

  1. We can also use Cymru Unwanted Traffic Removal Service (UTRS) for black holing. And yes things need to be automated – http://bit.ly/2rdIi1k

  2. Null routing with BGP communities ?
    Will this work for a bigger block or smaller blocks only ?

    I dont think, the transit companies would be keen to support on this or do it for the ISP partner too.

    • varunpriolkar

      31st May 2017 at 11:40 am

      They do if you are a large enough customer and you specifically ask for it. Or you can get like 5-10 Mbps transit in Europe and announce more specific block over that community when you want to null route it.

      Any block should work as long as it is more specific.

Leave a Reply