Re: ddos attacks

[John Kristoff <jtk () cymru com>]

On Wed, 18 Dec 2013 15:12:28 -0800
"cb.list6" <cb.list6 () gmail com> wrote:

> I am strongly considering having my upstreams to simply rate limit
> ipv4 UDP. It is the simplest solution that is proactive.

I understand your willingness to do this, but I'd strongly advise
you to rethink such a strategy.  At its simplest implementation, as
soon as you do this any UDP flood of that size will then starve
important UDP traffic.  Yes DNS is probably the most important, but NTP
is another one important one you may inadvertently harm.

> The facts are that during steady state less than 5% of my aggregate
> traffic is ipv4 udp.

I had found this to be generally true years back when I was doing ops
at an edu and had in fact put UDP (and other IP protocol) rate
limits at the ingress edge, host facing interfaces.  This actually
worked pretty well, at least after I also remove the aggregate UDP rate
limit in the middle of the network that led to the public Internet.

So for instance, a Slammer/Sapphire worm infection was severely limited
and contained to impact only a small portion of the infrastructure,
meanwhile we could immediately spot the problem when the rate limit
alarms were triggered.

The problem with your proposal is that it complete the job for your
entire network.  Now perhaps if you excluded, or provided a separate
limit for what you know to be important UDP flows, then the idea may
be more palatable to everyday operations.

John