North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

New Solution: (was: Re: Counter DoS)

  • From: Deepak Jain
  • Date: Thu Mar 11 17:20:51 2004



Here is a solution I would like to propose -- it is not as set-and-forget as network operators like, but we do know that some of our customers have a lot of expertise with this stuff, and taking advantage of that value helps. This is along the categories of collateral damage, scorched earth and generally punitive action for DDOS-compromised hosts. Because not everyone will read every line, I am going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. This will be backfire if its used for Spam blackholes, it will really only have an affect in the narrower DDOS space.

Along with the idea of blackhole communities. I do NOT recommend it be turned on across-the-board for every customer, and once it has reached penetration, say 20-30% of the internet backbones use this feature -- it should be phased back and only be an ICB item. (called Planned Obl.)

Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have)

So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried.

The theory - It creates an actual, measured response to customer machines being vulnerable. It makes parts ( ideally large parts ) of the internet unavailable to those with vulnerable computers.

The bad side - People could black hole important sites, until the ALL-CAPS rule is applied.

The somewhat less bad, bad side - Most of these /32s wouldn't be removed until cable provider called the blackholing provider.

The reality is that these filters are probably created today by backbone security folks, so the question is how fast you want the injections/rejections.

IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.

Comments?

Deepak