DDoS Resiliency Workshop – 2022

Revised, Updated, and Enhance DDoS Resiliency Workshops for Today’s Internet

In the late 1990s, several people started teaching ISPs how to protect their networks from attack. These early “DDoS Resiliency Workshops” evolved in a consistent theme and method that eventually curated best common practices for DDoS resiliency. Unfortunately, the threats from attacks to Communications Services Providers (CSPs), Internet Sevice Providers (ISPs), Cloud Providers, Edge Providers, and the modern “hyper-connected” organization have increased, not decreased. In essence, the threats to the core Internet infrastructure are growing.

We cannot ignore the growing, expanding, and unrelenting DDoS threat. We now live in a world where any system connected to the global telecommunications system (the Internet), must be resilient to DDoS. The capacity to launch DDoS attacks expands. The means of access and launch attacks are getting simpler. The miscreants setting up these DDoS systems are not getting caught nor “incentivized” to stop.

In parallel to the increasing threats, we are building networks by leveraging interconnected and interdependent cloud, edge, DevOps, and many other technologies. These interdependent and rapidly deployed systems provide exceptional services. But, the vast majority of these services lack resiliency and do not think about their fragility to DDoS. DDoS miscreants do their homework, finding vulnerable elements that collapse the whole “interconnected solution.”

In many ways, as an industry, we’re being DDoS complacent. The consequence of that complacency is allowing for the DDoS Risk to increase. The people behind DDoS run around making money from their criminal enterprises, and an increasing number of systems are at severe risk.

The 2022 campaign for Rethinking Internet Resiliency to Prepare for Today’s and Tomorrow’s DDoS Attacks builds on DDoS Resiliency Workshops in the past but is updated with the knowledge from the past ten years of DDoS attacks. It is a rethinking of DDoS Resiliency to focus on the engineering, risk mitigation, and intentional remediation of the risk (i.e., pushing back on the badness). It is focused on teaching new generations of engineers and architects to empower them with the knowledge to build more resiliency systems.


Representing Asia Pacific’s largest international Internet conference, Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) draws many of the world’s best Internet engineers, operators, researchers, service providers, users, and policy communities from over 50 countries to teach, present, and do their own human networking. APRICOT’s Tutorial/Workshop week kicked off the Rethinking DDoS Resiliency Workshops. These Workshops are online via Zoom (see APRICOT Tutorial Program) and on the Senki Youtube Channel.

APRICOT 2022 – Day 1 Workshops

Session 0 – “Shields Up! – Reading & Acting on the CSIRT/CERT Advisories

National CSIRT/CERT organizations push out alerts all the time. DO NOT IGNORE THESE ALERTS! They are provided intelligence that warrants an organization to minimize risk through action. The problem is many times these alerts are confusing, have a “kitchen sink” of advice, and paralyze their constituencies with the fog of “I don’t understand the “action ask.” We will use one example to help organizations read through and review the advice and then be able to take immediate and simple actions that step forward to minimize risk.

Session 2 – Understanding the DDoS Miscreants – Why are they Attacking?

Packets do not launch DDoS attacks. People launch DDoS Attacks. This module will walk through the motivations and objectives of why DDoS attacks are used to achieve a nefarious objective.

APRICOT 2022 – Day 2 Workshops

Session 4 – Responding to DDoS Attacks – Using the Basic Tools

A fancy fire engine does not put out fires. DDoS Resiliency requires an understanding of how all the techniques, tools, and foundation principles work together. This session will walk through many DDoS attack situations, the impact of those attacks, and how the “DDoS Toolkit” can be used to mitigate the DDoS.

Session 5 – SAV and BCP38 – Hard Realities of Source Address Validation

99% of the Internet does not need to send a source address that does not belong to them. “Spoofing” IP sources addresses are one of the core problems with miscreant activities on the Internet. Source Address Validation (SAV) is applied to packets at an organizational boundary. This module walks through the SAV, why it is a threat, how organizations can plug the hole, and what to ask the upstream organizations.

APRICOT 2022 – Day 3 Workshops

Session 6 – DDoS Runbook/Playbook

Practice, Practice, Practice! The firetruck does not put out the fire. Knowing the engineering and technology does not put out the fire. Practicing, training, and having a good craft playbook are the core touchpoints needed to put out the fire. A DDoS Playbook (also called a Runbook) pulls the elements of the DDoS Toolkit into known scenarios with actions and reactions.

Session 16 – Don’t Neglect DNS!

DNS is an afterthought. Ironic since DNS Resolver and Authoritative infrastructures are critical to EVERYTHING on the Internet. This session will walk through the threats to DNS systems to provide an understanding of the risk and why DNS architecture need to be the forefront of all our designs and operations.

APRICOT 2022 – Day 4 Workshops

Session 4.1 – Protecting Routers, Switches, and Network Devices (Point Protection)

Router, switches, and network elements are getting broken into. They are used by miscreants of all types to control networks. They are being turned into powerful botnets. The irony is that the basics can mitigate the threat of network devices getting violated. This module helps organizations use simple tools to lock down their network and keep it safe from miscreant activities.

Session 3 – Building Anti-DDoS Collations, Alliances, and Partnerships

DDoS Response is a community effort. Building a “community of trust” that can help you in the middle of a DDoS attack does not work. Depending on a vendor to “do it all for you” is giving the vendor power over your business. There are communities of peers who are working together to mitigate DDoS Risk, help each other during a crisis, track down the miscreants, and share new “anti-DDoS tools.” This session will explore the principles of building collective action against DDoS, investing in these communities, exploring ways to leverage these communities, and how they help during a crisis.

APRICOT 2022 – Day 5 Workshops

Session 9 – Conversations with your ISPs & Vendors about DDoS Responsibilities

Fact – Much of the DDoS Risk is exacerbated inaction by the ISPs, Mobile, and telecommunications operators. Mutually Agreed Norms for Routing Security (MANRS) is a helpful tool, but most organizations don’t make MANRS compliance part of their “RFP” requirements. We know the risk. Shadowserver and CyberGreen both provide tools to illustrate the DDoS Threat Potential of the ASN (ISPs). Quick mapping of the peers and upstreams of the ISP will expand on that risk. This session will walk through what must be included in a “meaningful security conversation” with your ISP. We’ll walk everyone through a script that can be a starting point with the ISP. This “anti-DDoS conversation tool” would then be used to ask the details behind core RPF questions that, when mandatory, help to wake up the ISP complacency that is endemic to our industry’s DDoS risk.

Session 17 – Executive Cyber Leadership – It is Not Hard!

Leadership is critical in a security crisis. It is not hard, it just takes the brave steps to be the “servant” of the team who works for you, clearing the path for their success.

Further Reading for DDoS Resiliency

Don’t stop with these DDoS Resiliency Architecture materials. Here are other resources from past DDoS Resiliency Workshops, Videos, and other empowering materials that you can leverage.

Realities of Today’s DDoS Security Risk (APRICOT 2021) – Covers the DDoS Extortion wave from Q4 2020.

Securing Your Network Using Shadowserver’s Daily Network Reports (SGNOG8) – How do we clean up all the DDoS Reflectors on the Internet?

DNS is Under Attack: the Miscreant’s Offensive Playbook with a Defensive Counter (APRICOT 2021) – DNS Authoritative systems get whacked by DDoS all the time. Don’t neglect it!

Meaningful Security Conversations with your Vendors Can vendors ever provide secure solutions? (APRICOT 2021)

DDoS Extortionist’s Behaviors and the supporting Session 2 – Understanding the DDoS Miscreants – Why are they Attacking? (APRICOT 2022 – Day 1)

Expected DoS Attacks – 10 Steps to Prepare for the Pain – Recommendations to kick start the preparation for an expected attack.

DDoS Attack Preparation Workbook – Collection of guides based on collective experience and FIRST community.

Realities of Today’s DDoS Security Risk – Updated from NZITF and presented @ APRICOT 2021. Using DDoS Miscreant Behaviors to Enhance your DDoS Resiliency Architecture.

9 Practical Steps to Prepare for DDoS Attack (Why are DDoS Miscreants Picking on Aotearoa?) – DDoS Behavior not seen in a while that needs attention, along with future new DDoS tools.

DDoS Storm Warning! – DDoS Extortionist Behavior & Activity (2021-11) – Tracking the behavior of the DDoS Extortionist.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Help organizations leverage the surrounding talent to get started with their security activities. Start with the DDoS Attack Preparation Workbook. It is no-nonsense security for all organizations (Enterprises, ISPs, Cloud, CSPs, Edge, IoT, etc). The workbook provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.