North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: anycast and ddos

  • From: Patrick W. Gilmore
  • Date: Fri May 06 12:50:14 2005 
On May 6, 2005, at 12:40 PM, Randy Bush wrote:


it seems that anycasting was quite insufficient to protect
netsol's service from being severely damaged (udp dead, tcp
worked) for a considerable length of time by a ddos [0] last
week [1].  it would be very helpful to other folk concerned
with service deployment to understand how the service in
question was/is anycast, and what might be done differently
to mitigate exposure of similar services.

anyone have clues or is this ostrich city?  maybe a preso at
nanog would be educational.

Seconded.



[0] - as it seems that the ddos sources were ip address
      spoofed (which is why the service still worked for
      tcp), i owe paul an apology for downplaying the
      immediacy of the need for source address filtering.
I was under the - possibly mistaken - impression that they activated their Riverhead boxes and that's why only TCP worked, not because of spoofed source.

Or are you saying that since the sources were spoofed, they could not filter the attack and had to resort to Riverhead's 'truncate' mechanism?


[1] - netsol is not admitting anything happened, of course
      <sigh>.  but we all saw the big splash as it hit the
      water, the bubbles as it sank, and the symptoms made
      the cause pretty clear.
How much does it suck that a major piece of Internet infrastructure was severely affected and the details are shrouded?

--
TTFN,
patrick