North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: engineering --> ddos and flooding

  • From: Matt Zito
  • Date: Mon Jun 04 14:14:44 2001


> Sorry but IMESHO null routing a /32 during a DoS attacck 
> doesn't exactly
> strike me as engineering. It is more like dealing with the attack in
> real-time. To mean engineering would mean desinging networks 
> to be resistant to DDoS and flooding in the first plsce. 
> 
> To that end no NSP should ever allow spoofed IP addresses outside of
> their network. (not just RFC 1918 addresses but valid IPs that don't
> belong to that NSP)
> 
> 	e.e if I'm have a circut from C&W nd I try to spoof a packet
> 	eith a source address of 216.35.172.135 it should be dropped as
> 	close to the edge of C&W's network as possible. 
> 
> 	note on RFC 1918 addresses: These should never get past customer
> 	edge routers IMESHO.
> 
> Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> networks in such a way that it can never DoS a T-1 (or E-1 if you are
> not in the US). [note: I'm not sure if ciso's are up for this workload
> since I primarily work with Juniper.]
> 

Rate-limiting ICMP is not so difficult - rate-limiting SYNs is basically
useless.  Syn floods work not because the amount of traffic they do, but
because they fill up state tables or make them so horribly inefficient as to
make the box cease responding on that port.  Given that, say, a linux box
has a default queue depth of 128, I can send 128 spoofed SYNs at a rate of
one a second, and in two minutes that box will stop responding.  The larger
you make the queue, the longer it will stand up to a slow SYN attack, but
the more costly each incoming SYN and SYN+ACK becomes, as the data
structures become more and more unwieldy.

Thanks,
Matt

-- 
Matthew J. Zito
Systems Engineer
Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
Ph: 212-798-9205
PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC  D2 06 B2 B0 BF 55 68 99