nanog mailing list archives

Re: ddos attacks

From: "cb.list6" <cb.list6 () gmail com>
Date: Thu, 19 Dec 2013 08:33:21 -0800

On Thu, Dec 19, 2013 at 8:18 AM, Edward Lewis <ed.lewis () neustar biz> wrote:

On Dec 18, 2013, at 18:12, cb.list6 wrote:

I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.



Recently it's been said that when a protocol is "query/response" (like
DNS), willingly suppressing responses might be as harmful as passing all
the traffic.

This comes from a presentation at October's DNS-OARC workshop:

https://indico.dns-oarc.net//getFile.py/access?contribId=4&resId=0&materialId=slides&confId=1

This is a "what is possible in theory" presentation, said to help you set
your expectation whether this is a true threat or not.

The underlying message is that while a querier is waiting for a response,
there is a window of vulnerability in which a forged response might be
accepted.  If the responder elects not to respond, they increase the (time)
duration of that window.

While "smart" rate limiting exhibits benefits I suspect "simple" rate
limiting might have some undesirable consequences.


I completely agree.  This why i have not yet implemented IPv4 UDP
rate-limiting yet, but it seems inevitable for 2014 if these attacks go on.

The profile i have in mind is when UDP exceeds 5x the baseline, then
tail-drop.

Keep in mind, when UDP exceeds 5x the baseline, the chances are are 99%
that the UDP is consuming the entire ISP pipe and everything is
rate-limited due to the pipe being saturated.  So, this is not a simple
either / or. This is degrade UDP proactively or suffer all traffic
degrading because there is a huge DDoS coming in (which is the current
situation).

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at
+1-571-434-5468

Why is it that people who fear government monitoring of social media are
surprised to learn that I avoid contributing to social media?

Current thread:

Re: ddos attacks, (continued)
- - - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Nick Hilliard (Dec 19)
    - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Nick Hilliard (Dec 19)
    - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Tore Anderson (Dec 19)
    - Re: ddos attacks Lee Howard (Dec 19)
    - Re: ddos attacks Jon Lewis (Dec 19)
  - Re: ddos attacks John Kristoff (Dec 19)
  - Re: ddos attacks Edward Lewis (Dec 19)
    - Re: ddos attacks cb.list6 (Dec 19)
  - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks cb.list6 (Dec 19)
    - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Saku Ytti (Dec 20)
    - Re: ddos attacks Dobbins, Roland (Dec 20)
- Re: ddos attacks dennis () justipit com (Dec 19)
- Re: ddos attacks Eugeniu Patrascu (Dec 19)
- Re: ddos attacks dennis () justipit com (Dec 19)
- Re: ddos attacks Scott Weeks (Dec 19)