Jeremy Chadwick wrote:
Let me clarify my question: as a system administrator, when I'm told someone is DoS/DDoS'ing something, I immediately react in two ways: 1) mitigate impact, and 2) find out why said attack happened.
As a sysadmin, I suspect you're a little closer to the 'end' of the path, while netadmins (especially SP netadmins) are more in the middle. I have a customer who's just a magnet for DoS attacks, based on a bunch of history/legacy of ownership and the like. For me/us, we (attempt to) do two things: deflect the attack away from the victim (allowing the rest of the customer's network to come up for air), then (if possible) deflect the source of the attack. If the attack continues longer and/or stronger, we contact upstreams to request investigation and/or deflection upstream.
Do networking engineers do analysis of these scenarios in attempt to ensure the situation doesn't recur, or do the efforts stop at "we put up some filters, time for lunch"?
Given the very rare success of finding ANYTHING out, there's rarely motivation to do much other than filter things. pt