nanog mailing list archives
RE: engineering --> ddos and flooding
From: "Richard A. Steenbergen" <ras () e-gerbil net>
Date: Mon, 4 Jun 2001 15:08:41 -0400 (EDT)
On Mon, Jun 04, 2001 at 02:08:52PM -0400, Matt Zito wrote:
Sorry but IMESHO null routing a /32 during a DoS attacck doesn't exactly strike me as engineering. It is more like dealing with the attack in real-time. To mean engineering would mean desinging networks to be resistant to DDoS and flooding in the first plsce.
Giving the customer the option to have their announced prefix null routed internally is a powerful value add that fits in right along side giving them other controls like preference and prepending. Usually this is passed as a community tag, and good networks give their customers these controls.
To that end no NSP should ever allow spoofed IP addresses outside of their network. (not just RFC 1918 addresses but valid IPs that don't belong to that NSP)
This guarantees nothing.
Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their networks in such a way that it can never DoS a T-1 (or E-1 if you are not in the US). [note: I'm not sure if ciso's are up for this workload since I primarily work with Juniper.]
Bad plan. Then a single t1 worth of attack can effectively stop all icmp or syns from passing through.
Rate-limiting ICMP is not so difficult - rate-limiting SYNs is basically useless. Syn floods work not because the amount of traffic they do, but because they fill up state tables or make them so horribly inefficient as to make the box cease responding on that port. Given that, say, a linux box has a default queue depth of 128, I can send 128 spoofed SYNs at a rate of one a second, and in two minutes that box will stop responding. The larger you make the queue, the longer it will stand up to a slow SYN attack, but the more costly each incoming SYN and SYN+ACK becomes, as the data structures become more and more unwieldy.
Wrong, and very much out of date. I didn't write all this down to waste my breath... http://www.e-gerbil.net/ras/projects/dos/dos.txt -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Current thread:
- Re: engineering --> ddos and flooding, (continued)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Hank Nussbacher (Jun 03)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 04)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Sykes, Phil (Jun 01)
- Re: engineering --> ddos and flooding Paul Johnson (Jun 04)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 04)
- Re: engineering --> ddos and flooding Valdis . Kletnieks (Jun 04)
- Re: engineering --> ddos and flooding Dan Hollis (Jun 04)
- RE: engineering --> ddos and flooding Matt Zito (Jun 04)
- RE: engineering --> ddos and flooding Hank Nussbacher (Jun 04)
- RE: engineering --> ddos and flooding Richard A. Steenbergen (Jun 04)
- RE: engineering --> ddos and flooding Matt Zito (Jun 04)
- RE: engineering --> ddos and flooding Richard A. Steenbergen (Jun 04)