nanog mailing list archives
Re: We have a firewall (was Re: Pakistan government orders ISP service level agreement)
From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 7 May 2003 03:27:13 +0000 (GMT)
On Tue, 6 May 2003, Phil Rosenthal wrote:
On 5/6/03 7:51 PM, "E.B. Dreger" <eddy+public+spam () noc everquick net> wrote:SD> Date: Tue, 6 May 2003 19:28:48 -0400 (EDT) SD> From: Sean Donelan SD> The Pakistan Telecommunications Company Ltd has aquired a SD> firewall to solve the DDOS situation impacting Internet SD> service in the country. An unnamed security advisor asserted SD> the proper use of a firewall would control the DDOS attacks SD> and prevent hacking. Now the DDoS melts the pipes _and_ the firewall. I'd like to know if said "consultant" ever considered recommending the PTC contact their upstreams for help with backtrace/blocking. Anyone with a modicum of clue (or Google access) should figure out that one...Not every upstream is as clueful as Uunet, and not every noc employee is as clueful as Chris and Brian at UUnet.
oh oh... there are quite a few folks who work, including the NOC here, to make Brian look good :) (and me, but mostly brian looks good)
It has been my experience that most upstreams have no concept that they CAN backtrace, and generally have no interest in helping you do it. I'm not mudslinging here, so I won't say who my experience is with, but a few transitless/near transitless upstreams I've dealt with were most unhelpful, either because they didn't know how to help, or worse, they did know how to help and didn't care.
Unfortunately this is the case at times, I will name some good names though, C&W/Qwest/Verio/Sprint/ATT among the larger carriers I've recently dealt with, in the US. Francetelecom and SwissComm atleast external to the US are also quite helpful these days. It seems that atleast all of these folks have been active in stopping many recent attacks. There are some others that don't seem quite as helpful, but that number is getting smaller.
And, depending on the nature of the DDoS attack, perhaps it isn't related to saturation, but rather to overloading router processors, or something else that can effectively be filtered customer-side?
There is a fine balance that has to be struck... killing a provider side router and N customers or degraded service for a single customer who can still filter their side of the link :( sometimes people aren't happy with the response.
Our policy as of late has just been to make sure we have equipment on our side fast enough to filter at wire speed, and get enough capacity to our upstreams that it is signifigantly unlikely that anyone could generate enough traffic to saturate it (in which case, we would have no choice but to ask carriers to filter, and backtrace).
Current thread:
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement), (continued)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Christopher L. Morrow (May 06)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Scott Granados (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Leo Bicknell (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Christopher L. Morrow (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Stephen J. Wilcox (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) Christopher L. Morrow (May 06)
- Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement) David Barak (May 07)
- NOC responses when advised of ongoing DoS attacks (Was Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement)) Niels Bakker (May 07)
- Re: NOC responses when advised of ongoing DoS attacks (Was Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement)) Christopher L. Morrow (May 07)
- Re: NOC responses when advised of ongoing DoS attacks (Was Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement)) David Barak (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISP service level agreement) Christopher L. Morrow (May 06)
- Re: We have a firewall (was Re: Pakistan government orders ISP service level agreement) Stephen J. Wilcox (May 07)
- Re: We have a firewall (was Re: Pakistan government orders ISP service level agreement) Rob Pickering (May 07)
- Re: Pakistan government orders ISP service level agreement Daniel Senie (May 05)
- Re: Pakistan government orders ISP service level agreement Vijay Gill (May 05)
- Re: Pakistan government orders ISP service level agreement Joseph Noonan (May 05)
- Re: Pakistan government orders ISP service level agreement Daniel Golding (May 06)
- Re: Pakistan government orders ISP service level agreement Eric Brunner-Williams in Portland Maine (May 05)