North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Effective ways to deal with DDoS attacks?

  • From: E.B. Dreger
  • Date: Tue May 07 18:40:16 2002

CLM> Date: Tue, 7 May 2002 21:43:10 +0000 (GMT)
CLM> From: Christopher L. Morrow


CLM> 1) rate-limits aren't going to solve anything.


If -- big if -- the sources could be throttled... but they'd have
to be so slow that they were effectively shut off.

Maybe it would be easier to give more power to TCP congestion
control.  Maybe similar functionality in ICMP.  Maybe something
in IP itself.  Did somebody say "ECN"?

Frankly, if ECN were "widely enough" deployed, one could assume
ECN-ignoring devices to be rogue, and act upon that.  Right now
one does it at layer 9.  A lower layer isn't out of the question.
(See remarks re point #3.)


CLM> 2) I'm pretty sure most providers aren't going to let
CLM>    customers determine traffic engineering methods on their
CLM>    networks


BGP communities... 3356, 3561, 4006, 3549, and several smaller
providers offer selective prepends... if there were more edge
clue, I think that more would follow.  Many more honor MEDs, and
virtually all provide local-pref knobs...

The big pain in something like this would be state.  Hence why
some sort of pushback sounds reasonable; determine the other
endpoints, and communicate with edge devices.  Keep state out of
the core.

*sits and prepares to listen to how big UU's edge is*

"We can't do it because Vendor X doesn't offer it" is not the
right answer.  If it's feasible, the question is _why_ Vendor X
doesn't offer capable hardware.  (I'm leaving it at that, as this
message already relates to several flame wars.)

Yes, that would be a big chore for a 1x000-class router with
tons if subinterfaces.  But where do those subinterfaces
originate?  Might the true edge device be the... switch?

Let's say that it takes $5000 of hardware to provide this service
on a DS3.  When I go shopping, will I be willing to pay five
grand extra for a DS3 that has better DDoS control?  (Hint: How
much bandwidth will I lose otherwise?)

Better yet, let's say I colo at a place that charges for traffic.
Will I pay a bit extra for an outfit that has my best interests
in mind?

Perhaps I don't care how big the ice cream cone is if it doesn't
have a nice flavor.  The world's biggest ice cream cone just
might not be enough of an offering, especially if the cow is
having trouble producing milk.


CLM> 3) if this is NOT done in a secure manner I bet I can make
CLM>    www.whitehouse.com disappear... :)


If BGP is not done in a secure manner I bet I can make any site
disappear.


--
Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <[email protected]>
To: [email protected]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <[email protected]>, or you are likely to
be blocked.