nanog mailing list archives
Re: DDOS, IDS, RTBH, and Rate limiting
From: Jon Lewis <jlewis () lewis org>
Date: Sat, 8 Nov 2014 22:37:45 -0500 (EST)
On Sun, 9 Nov 2014, Roland Dobbins wrote:
On 9 Nov 2014, at 10:12, Jon Lewis wrote:The tricky part is when to remove the route...since you can't tell if the attack has ended while the target is black holed by your upstreams.You can with NetFlow, if you've D/RTBHed the IP in question on your own infrastructure. NetFlow reports statistics on dropped traffic (except on a few platforms with implementation deficiencies).
I'm assuming from the OP's comment: "We set up BGP communities with our upstreams, and tested that RTBH can be set and it does work."that they have their upstreams null routing the traffic, so they no longer see the attack traffic.
But this kind of thing punishes the victim. It's far better to do everything possible to *protect* the target(s) of an attack, and only use D/RTBH as a last resort.
I'm sure it's not always the case, but in my experience as a SP, the victim virtually always did something to instigate the attack, and is usually someone you don't want as a customer. When I worked for a cloud hosting provider, the DDoS "victims" tended to be fraudulent signups who were doing malicious or anti-social things on the net and were not paying customers anyway.
As someone else mentioned, it's better to sacrifice the one target and end the impact quickly than to piss off all or even some subset of your customers.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- DDOS, IDS, RTBH, and Rate limiting Eric C. Miller (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 09)
- Re: DDOS, IDS, RTBH, and Rate limiting Matt Palmer (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
- RE: DDOS, IDS, RTBH, and Rate limiting Frank Bulk (Nov 08)