nanog mailing list archives
Re: ICANN Targets DDoS Attacks
From: Alex Bligh <alex () alex org uk>
Date: Fri, 01 Nov 2002 17:45:03 -0000
--On 29 October 2002 21:11 +0000 "Stephen J. Wilcox" <steve () telecomplete co uk> wrote:
As they say, if you dont set the rate limit too low then you wont encounter drops under normal operation.
It would be useful if [vendor-du-jour] implemented rate-limiting by hased corresponding IP address. IE: hash=gethash(source); if (!hash) {hash=gethash(dest)} if (hash) ratelimiton(bucket(hash); That way you could (on transit interfaces) specify a paltry limit of (say) 10kb/s of ICMP (per (hashed) source/destination), even when there was 'naturally' hundreds of Mb/s of ICMP flowing through the interface in a non DDoS environment. And if an IP gets DDoS'd (or sources a DDoS), the ratelimit would only affect that IP (oh, and any hash equivalents) only. As, for these purposes, dropping large numbers of relatively inactive hash entries wouldn't be painful, I would have thought this would be unlikely to suffer from the self-similarity properties that made Netflow hard - but perhaps not. Alex
Current thread:
- Re: ICANN Targets DDoS Attacks Alex Bligh (Nov 01)
- <Possible follow-ups>
- Re: ICANN Targets DDoS Attacks alok (Nov 04)
- Re: ICANN Targets DDoS Attacks bmanning (Nov 04)
- Re: ICANN Targets DDoS Attacks Alex Bligh (Nov 04)
- Re: ICANN Targets DDoS Attacks alok (Nov 04)
- Re: ICANN Targets DDoS Attacks David Conrad (Nov 04)
- Message not available
- Re: ICANN Targets DDoS Attacks alok (Nov 04)
- Re: ICANN Targets DDoS Attacks bmanning (Nov 04)