North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: UUNet Offer New Protection Against DDoS
Christopher L. Morrow wrote: So we all agree that in the ideal world, everyone has anti-spoofing ACLs and route map filters and what not on every link into their network.miniscule amounts of traffic in uunet's core is still enough to ddos manyminiscule is enough to cause problems in anyone's network.... the point But in the real world...given that you are going to be peering with ISPs (or their upstreams) that do not do uRPF or anything at all on their edges, if you want to drop the patently bogus traffic, or your customers don't want to pay you for delivering it to them over links they don't want congested with it, what do you do? I guess you can say "peering links are not core", and that's fine if you run loose-uRPF there, and can be assured that all access to your network has filters on all links. I was thinking of large peering routers as part of the core of an ISP, so loose-uRPF is sufficient on those routers, if edges are protected. But if you are going to run loose-uRPF on your peering routers, why not run it on your core? Is there a technogical reason not to? Cisco OC48 line cards not support it (at least some do.), I'm almost sure Juniper does too. But I don't play in that area. And given that there are ISP's running it in the core; that it will block some malicious traffic; and spoofed traffic may well be used as an attack vector again (sometime people are going to have to catch on and patch machines, or worms will patch them for them, and reduce the botnet farm size. Maybe not this year, but sometime...), I still don't see why you are against it. I accept that filtering on all edges, including peering, is a better place to do it. So do you filter on, say, peering links to other tier 1's? Even so, why not have belt AND suspender, and run it in the core?
|