North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Fair Queuing combats DDoS? [was Re: Yahoo! Lessons Learned ]

  • From: NANOG Mailing List
  • Date: Fri Feb 11 00:20:55 2000

On Thu, 10 Feb 2000, Randy Bush wrote:

> 
> > I want something for clueful people to be able to type after "conf
> > t". Asking people who probably aren't on this mailing list and almost
> > certainly don't understand the problem to fix *their* network does not cut
> > the mustard.
> 
> e.g. the problem with the ddos attacks is that the pain is far removed from
> the enabling causes, thus severely weakening prophylactic motivations.  two
> trends may help.  as the pain is more universally felt, the motivation may
> spread.  and i suspect that the inclination to peer with non-motivated isps
> may change.
> 
> randy
> 


At minumum, a hurt can be put on networks that are irresponsible/innane by
effectively blackholeing them.

neighbor db.bad-networks.blah.someone.com remote-as blah-blah
neighbor db.bad-networks.blah.someone.com description DB of bad networks
neighbor db.bad-networks.blah.someone.com route-map blackhole in
neighbor db.bad-networks.blah.someone.com filter-list 2 out
!
route-map blackhole permit 10
set ip next-hop 127.0.0.1
!

Suddenlt being blackholed from those of use who don't wish to deal with
operators who won't/can't secure their network might actually get their
attention.  Much the same as denying the entire APNIC allocation in
.htaccess substantially reduces CC fraud on e-commerce sites.

I know.  It's akin to killing a fly with a sledge-hammer but sometimes
it's worth it.


--------------------------------------------
|Signature line included for Jay R Ashworth|
--------------------------------------------


John Fraizer
EnterZone, Inc