North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Level3 routing issues?
On Sat, 25 Jan 2003, K. Scott Bethke wrote: > > Keep in mind that these problems aren't from 'well behaved' hosts, and > > 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED.... > > classic DoS attack scenario. :( > I understand the evils, but are we really at the mercy of situations like > this? Of course we can firewall the common sense things ahead of time, I don't think this one could have been reasonably firewalled using a non-stateful firewall (such as a simple router access list): the port is unpriviliged so it will be used as a source port for regular UDP traffic such as DNS queries. However, rate limiting UDP would have helped. This is a reasonable thing to do for customers that have a lot of bandwidth but don't run high-bandwidth UDP protocols. > we can jump right in and block evil traffic when it happens, after it takes > down our network but what sorts of things can we design into our networks > today to help with these situations? Rate limit everything you can rate limit, make sure your routers and switches have enough CPU even if interfaces are saturated with minimum-sized packets to random destinations. But this type of rDOS (reversed denial of service) is easy: you can simply filter the offending systems. If it's the other way around (DOS) there is not much you can do. To really solve this we need a mechanism for destination hosts to authorize source hosts to send data in such a way that intermediate routers/firewalls can check this authorization and drop unauthorized packets.
|