|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003 18:38:08 +0000 (GMT) "Christopher L. Morrow" <[email protected]> wrote: > > has something called Source Path Isolation Engine (SPIE). There > This would be cool to see a design/whitepaper for.. Kelly? In addition to David's link: <http://www.ir.bbn.com/projects/SPIE/> > > mentioned, which penalize or limit high rate flows are not widely > > deployed yet. > (see above, is this what you really want?) I happen to like the idea of using something like a RED queue that can more aggressively drop traffic that is 'out of profile' in times of congestion. Like most things, this probably really works best at the edges of the network, but my gut feeling is that it can be a relatively fair and elegant approach. However, it doesn't really solve the DoS problem, it is really trying to just solve a congestion problem, but it may have some nice side effects. For example, I'm planning on trying out some new features from our border router vendor, where we set a more aggressive RED drop profile per source IP within our netblock where the source exceeds a configured transmission rate. The basic idea being to get the high load offering sources to slow down in times of high usage/congestion. Hopefully they use TCP, but if not, perhaps drop even more aggressively? If the capacity is there, high load sources get through. So, this doesn't stop attacks, but tries to keep some valid data flowing through a limited egress pipe or in other words, try to provide some fairness between multiple sources in times of high load. Of course, if everyone hits the ENTER key at the same time this does't work, but hopefully statistically multiplexing is working as well as it always has for us. John
|