North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Solution: (was: Re: Counter DoS)
the thing is though, by allowing any /32's... what prevents /all/ customers from abusing it by curiosity of what would happen? :) the fact that you are allowing any /32's (up to 100 or whatever max prefix lim. you set) is like giving a can of worms to your customers. i don't think its even worth the effort to bother when you have more than couple customers abusing it security for one, SLA for the other, thirdly i just don't trust customers injecting routes into my backbone w/o telling us. i don't think bgp or a routing protocol is the right way to solve infected-machines participating in ddos nets. -J On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote: > > > Here is a solution I would like to propose -- it is not as > set-and-forget as network operators like, but we do know that some of > our customers have a lot of expertise with this stuff, and taking > advantage of that value helps. This is along the categories of > collateral damage, scorched earth and generally punitive action for > DDOS-compromised hosts. Because not everyone will read every line, I am > going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT > AWAY FROM THEM. This will be backfire if its used for Spam blackholes, > it will really only have an affect in the narrower DDOS space. > > Along with the idea of blackhole communities. I do NOT recommend it be > turned on across-the-board for every customer, and once it has reached > penetration, say 20-30% of the internet backbones use this feature -- it > should be phased back and only be an ICB item. (called Planned Obl.) > > Just like the blackhole community routes, certain /32's (only, nothing > shorter) can be exported from the customer to the backbone to be > blackholed at the edges. The twist, is that instead of limited the > customer announcement to the customer's IPs, you force only /32s to be > announced for the blackhole prefixes and limit the total number of > prefixes. Say 100 (or 10, or 1000 depends how much trust you have) > > So say, joe-customer has identified his top 50 DDOS sources, he > announces them to you, voila, DDOS gone. (even for spoofed traffic, > depending on how your filters are set up) Obviously these would be > no-export routes so no peer need be worried. > > The theory - It creates an actual, measured response to customer > machines being vulnerable. It makes parts ( ideally large parts ) of the > internet unavailable to those with vulnerable computers. > > The bad side - People could black hole important sites, until the > ALL-CAPS rule is applied. > > The somewhat less bad, bad side - Most of these /32s wouldn't be removed > until cable provider called the blackholing provider. > > The reality is that these filters are probably created today by backbone > security folks, so the question is how fast you want the > injections/rejections. > > IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. > > Comments? > > Deepak -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing [email protected] Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
|