Re: automatic rtbh trigger using flow data

["Roland Dobbins" <rdobbins () arbor net>]

On 1 Sep 2018, at 1:35, Aaron Gould wrote:

> I may mark internet-sourced-udp with a certain marking dscp/exp so 
> that as it travels through my internet
> network, it will be the first to get dropped (? Wred ? work well for 
> udp?) during congestion when an attack gets through

You can use flow telemetry analysis to look at the UDP non-initial 
fragments destined for any access networks under your control; you'll 
likely see that they comprise a tiny portion of the overall traffic mix, 
and they're most commonly associated with large DNS answers.

Once you've determined the numbers, you can police down the non-initial 
fragments destined for the access networks you control (don't do this on 
transit traffic!) to whatever small percentage makes the most sense, 
with a bit of extra headroom.  1% of link bandwidth works for several 
operators.

In that QoS policy, you exempt well-known/well-run open DNS recursor 
farms like Google DNS, OpenDNS, et. al. (and possibly your own, 
depending on your topology, etc.), and any other legitimate source CIDRs 
which generate appreciable amounts of non-initial fragments.

When a reflection/amplification attack which involves non-initial 
fragments hits, the QoS policy will sink a significant proportion of the 
attack.  It doesn't help with your peering links, but keeps the traffic 
off your core and off the large network(s).

Again, don't apply this across-the-board; only do it for access networks 
within your span of administrative control.

> * btw, what can you experts tell me about tcp-based volumetric 
> attacks...

TCP reflection/amplification.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>