nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DDOS, IDS, RTBH, and Rate limiting

From: "Frank Bulk" <frnkblk () iname com>
Date: Sat, 8 Nov 2014 20:42:38 -0600
There's no doubt, rate-limiting is a poor-man's way of getting the job done,
but for small operators who aren't as well instrumented (whether that due to
staff or resources), a simple rule such as:
        access-list 100 ip host 0.0.0.0 0.0.0.0 rate-limit 200000
        access-list 100 ip host 0.0.0.0 0.0.0.255 rate-limit 5000000
        int vlan 10
        description Internet uplink
         ip access-group 100 in
        !
would be great.

Yes, the /32 under attack would essentially be out of service, but at least
the downstream network doesn't get congested and more customers affected.

Frank

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Roland Dobbins
Sent: Saturday, November 08, 2014 8:28 PM
To: NANOG
Subject: Re: DDOS, IDS, RTBH, and Rate limiting


On 9 Nov 2014, at 8:59, Frank Bulk wrote:


I've written it before: if there was a software feature in routers 
where I
could specify the maximum rate any prefix size (up to /32) could 
receive,
that would be very helpful.


QoS generally isn't a suitable mechanism for DDoS mitigation, as the 
programmatically-generated attack traffic ends up 'crowding out' 
legitimate traffic.

S/RTBH, flowspec, and other methods tend to produce better results.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>
Previous By Date Next
Previous By Thread Next

Current thread: