[cs615asa] Question & Reference

[Jan Schaumann]

Divyendra Patil <dpatil3 at stevens.edu> wrote:
> 
> How does a SysAdmin face a DDoS attack on a system he is monitoring/looking over.
> An IDS/firewall can detect such stuff but what can a SysAdmin do to minimize the damage under heavy load?
> Increasing Bandwidth, Load Sharing, redirecting the traffic or blocking a particular set of IP's is not a permanent solution to this problem.

You're correct in that these things are not a permanent solution, but
that is the nature of the problem.  By definition, a DDoS attack is an
anomaly, which means that you need to be able to absorb an order of
magnitude more traffic for a short period of time.

This stresses the importance of having an infrastructure that is
flexible and elastic and can automatically adjust to the demands.

Some mitigations or techniques that are helpful include trying to
identify and differentiate the attack traffic from normal traffic and
blackhole it, to automatically spin up additional services or instances
to absorb the load, or to update your DNS and global load balancing
mappings to e.g. direct attack traffic into one location and other
traffic to another.

After the attack subsides, you then need to scale back down.  All of
this can get very complex quickly, and not all companies or
organizations will be able to handle this efficiently, so outsourcing
this protection to another provider such as Cloudflare may well be a
good solution.

However, since in this class we are always thinking about scale as well
as the fundamental concepts underlying any problem or solution, we will
generally not pull the "let's just outsource this" card.  What if you
are CloudFlare?  You can't oursource the problem that you're trying to
solve yourself.  Other companies, such as Amazon, Google, Microsoft, or
Yahoo also don't use CloudFlare and solve this problem themselves.

-Jan