North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: John Fraizer
  • Date: Fri Nov 03 11:31:06 2000

On Thu, 2 Nov 2000, Joe  Shaw wrote:

> On Thu, 2 Nov 2000, John Fraizer wrote:
> > One of the keys to winning a war is to choose your battles wisely and
> > attempt to limit casualties in the battles you do fight..  Don't throw
> > 1Gb/s of capacity to a server that is only going to use 20Mb/s but is
> > highly likely to attract 600Mb/s of "hate" from the script kiddies.
> My war is to increase Internet security.  It's generally impossible with
> the current implementation, and I'm not exactly sure how much better IPv6
> is going to be if we ever get around to deploying it Internet-wide.

You can ALWAYS increase security.  You may not be able to do it the way
you want but, you can always do it in some shape or form.

> > Go find someone with a legacy /24 they're not using (there are TONS of
> > them) and convince them to sell it to you.  Put the "target" on that
> > /24.  If you're under attack, retract the announcement.  Now, the
> > "hate" stays on the originating network.
> Actually, that's not a bad idea in and of itself if you have the
> ability to do so.  But people generally filter at /19 or /20
> advertisements, and what happens when it's more than just some moron
> taking down an IRC server?  What happens when it's a customer doing

If they're filtering on the /19 or /20 boundry on legacy space, they're
VERY misconfigured and breaking a whole bunch of connectivity.

The rest of your paragraph was full of what-ifs.  There is a solution for
every problem.  It is not always painless and sometimes involves shooting
some moron who IS the problem square between the eyes.  There IS a
solution to every problem though.  I have provided two solutions to
attacks on IRC servers.  #1, don't run one -- IE; limit your worthiness as
a target.  #2, give yourself the ability to "dissappear" as is outlined

#3 - #10,000 I am reserving for paying customers.

> I'm looking for actual examples.  If you have some, I'd love to here
> them.  There has only been one time in the past where I actually
> wanted asymetrical routing, and it certainly took some work to make
> traffic flow that way.  I'm not saying don't allow it to happen, just make
> it the default not to allow traffic you're not specifically routing.
> > There are also cases where you are providing transit to a
> > customer who, for whatever reason, is NOT announcing routes to
> > you.
> How can you possibly have transit customers who you are not announcing
> any type of routes for?  Has the meaning of a transit network, which
> transit customers generally buy access to for connectivity, changed?
> Transit networks used to mean networks used to transit traffic between two

OK.  Try this one on.  You're announcing 89K prefixes to customer
X.  They're seeing the same 89K prefixes from another provider too.  They
don't want ANY incoming traffic via their connection from you.  They do
however preference routes to ASX, ASY and ASZ via your connection.  What's
the best way for them to do this?  Don't announce to you and route-map
those routes to X Y and Z to be preferred.

Asymetric routing.

John Fraizer
EnterZone, Inc