North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Because there are legitimate reasons for async routing. DirectPC/Isat/etc. (Satelite based services) come to mind immediately. Customers dial-up to an ISP and downstream traffic returns via the sat connection. Reverse-path immediately disables every one of these customers. Qwest deployed this on us with no notice and killed off thousands of customers in one fell swoop. Although I agree with the principal, the implentation needs more thought than a simple 'turn it on for 100%'. Eric Krichbaum -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alexei Roudnev Sent: Thursday, June 03, 2004 1:40 AM To: Jon R. Kibler; [email protected] Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T You even do not need to maintain ACL - many routers have 'back-path verification' feature. I wonder, why DSL and other 'consumer level' providers are not doing it for 100% of their customers. ----- Original Message ----- From: "Jon R. Kibler" <[email protected]> To: <[email protected]> Sent: Wednesday, June 02, 2004 8:25 AM Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T > John Obi wrote: > > ... since DDoS is the > > nightmare of the internet now. > > > > The sad fact is that simple ingress and egress filtering would > eliminate the majority of bogus traffic on the Internet -- including > (D)DoS attacks. If all ISPs would simply drop all outbound packets > whose source address is not a valid IP for the subnet of origin, > and all inbound packets that do not have valid source IP addresses, > the DDoS problem would be (for all intents and purposes) fixed. If > proper filtering was done, then any DoS attacks would have to have > either valid source IP addresses, or IP addresses that spoofed IPs > within their network of origin. In either case, identifying and > shutting down the attackers would become a greatly simplified task > compared to the mess it is today. > > Why no filtering by ISPs? "Because it takes resources and only benefits > the other guy" -- unless your network is the one under attack. > > Maintenance of the ACLs should not be the issue. A single ACL for each > subnet would be all that would be required for egress filtering. About > 30 ACLs on an inbound border router would be required for ingress > filtering. Keeping the ingress ACLs current is a brain-dead task -- just > subscribe to the bogon mailing list at cymru.com. > > ACLs have had a bad reputation for greatly slowing down routers. That > may have been true in the past, but properly written ACLs do not seem > to have a significant impact on most new routers. Yes, they may cut > peak through-put a few percent -- but if you are running that close to > the edge, it is time to upgrade anyway. > > IMHO, there is absolutely no excuse for not doing ingress and egress > filtering. In fact, if you are an ISP, I would argue that you are > negligent in your fiduciary responsibilities to your customers and > shareholders if you are not filtering source IP addresses. > > Fancy solutions may make great marketing, but simple proper router > filtering is a very workable lower-cost solution. > > (Step down from soap box.) At least, that's my $0.02 worth. > > Jon Kibler > -- > Jon R. Kibler > Chief Technical Officer > A.S.E.T., Inc. > Charleston, SC USA > (843) 849-8214 > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. > >
|