|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Real-Time Mitigation of Denial of Service Attacks NowAvailable With AT&T
On Wed, 2004-06-02 at 17:25, Jon R. Kibler wrote: > The sad fact is that simple ingress and egress filtering would > eliminate the majority of bogus traffic on the Internet -- including > (D)DoS attacks. Couldn't agree more. It would probably cut hacked zombies (and that way spam) by at least as much as DDoS traffic, in general we'd all have far less problems if ISP's would stick to simple solutions where they're needed. Although there are DoS's coming from valid IP's, 99 out of a 100 of these valid IP's are zombies hacked by using spoofed IP's so the hacker isn't traceable. Good filtering will make this a lot harder to pull off. > Why no filtering by ISPs? "Because it takes resources and only benefits > the other guy" -- unless your network is the one under attack. And this is exactly the kind of ignorant thinking that prevents us from solving the spam and DoS problems, while the exact same people can't stop complaining about the spammers and script-kiddies ruining their lunch. > Maintenance of the ACLs should not be the issue. A single ACL for each > subnet would be all that would be required for egress filtering. About > 30 ACLs on an inbound border router would be required for ingress > filtering. Keeping the ingress ACLs current is a brain-dead task -- just > subscribe to the bogon mailing list at cymru.com. If maintenance of ACLs was a problem for large ISPs, they'd be out of business since that would imply they don't have the staff to keep their networks running, let alone well enough to actually have customers on it. I've probably heard the argument about the money it would cost and the staff it would take a million times, but the fact is that if every ISP did it's filtering, you'll see the need for troubleshooting, spamfiltering, recovering from hackers, and mitigating DoS attacks drop enormously. I'm 100% sure this would lead to lower maintenance costs, not the other way around. > ACLs have had a bad reputation for greatly slowing down routers. That > may have been true in the past, but properly written ACLs do not seem > to have a significant impact on most new routers. Yes, they may cut > peak through-put a few percent -- but if you are running that close to > the edge, it is time to upgrade anyway. Only very small ISPs relying on 36xx's or multilayer switching instead of larger, more powerful might be still valid cases where ACL's are a problem. But those aren't the ISPs generating 80% of all useless traffic, it's the big boys that have plenty of hardware to burn that refuse to do anything about it. > IMHO, there is absolutely no excuse for not doing ingress and egress > filtering. Hear hear -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
|