There was a time, when DDoS attacks lived in obscurity to us tech folks. Now it’s on the nightly news and I talk about it at art shows. What the heck happened?! Well as more resources of our everyday life move online, there are more targets than ever. Meanwhile, the cost of performing a DNS based amplification DDoS attack has at least stayed steady, if not easier by the fact that there are more connected devices to take advantage of in a botnet. This would be harder if internet service providers conformed to the standards outlined in BCP38 to prevent that sort of thing, but they haven’t.
Look, you can try to ride out a DDoS if you really want to, but again – it’s 2016. There is an easier way. Some of the most common DDoS attacks are on the DNS, because it’s easy. So outsource your DNS already. This means that your DNS vendor(s?) will be the distributed edge to take the attack for you. On the chance that you are the target, your vendor will have the staff, training, hardware, and connectivity to easy thwart a DDoS. It’s worth looking at vendor’s track records and asking what their strategy is, as you will be entrusting them with your domain. Us? We’ve been delivering industry leading availability since our network launched over a decade ago.
So what about if it isn’t a DNS attack? Unless you’re running a global anycast network like we are, it can be hard to isolate an attack and move it around to where you have the resources to handle it. Because Dyn exists on DNS, we are able to geo-target traffic before it enters the pipe for your DC. This is a unique place to route, as it means traffic can be moved around the world allowing your major sites a break, or even to a different provider.
Just how do those guys work anyway? Most of those services work by becoming the new upstream for your IP prefixes that you want scrubbed in BGP. If you decide to activate it on the fly, as most do, when you call upon the service in the moment of need the scrubber will remove the bad traffic before passing the traffic back to your origin for normal production operation. That’s all great, but how well do they take control of your BGP? As it turns out, these services can do a haphazard job taking control over the prefix, which causes two problems. If there is a route to your prefix around the scrubbing service because the route didn’t fully propagate, the attackers may find it and push their attack around your scrubbing service as well. Now you’re paying a lot of money for a link which isn’t doing it’s job. The second scenario could be as our diagram above. As you can see, the scrubbing service botched the propagation which caused periods of time in which there were no routes to the destination. You activated a scrubbing service and that caused an outage!
It’s not my place to pick favorites, and I’ve found there is no such thing as a perfect provider. Your best shot, is to actively monitor your vendors – on all levels, including us – to keep them honest that you’re getting what you paid for. If you’re not, and they won’t fix it or offer a reasonable explanation for it – time to find a new one.