Re: RE: Why blocking bogons buys you nothing (Mikael Olsson)

[Barney Wolff <barney () databus com>]

On Sun, Nov 09, 2003 at 07:07:10PM +0100, Mikael Olsson wrote:
> 40-50% is not "significant" for a DDoS in my opinion. Especially
> not if you're doing it on the wrong end of your Internet connection.

Depends on your goal.  If your goal is immunity from every DDoS, yes.
But that goal is unattainable by any means.  If your goal is to reduce
the frequency of outages caused by DDoS, 50% is significant, because
not every attack will come from the most powerful attacker.

Whether your Internet connection has a wrong end depends on its bandwidth.
If you're in a colo with GigE or better, and servers each of which
cannot absorb that on its own, any means of degrading the attack is worth
trying.  If you're behind a T1 or DSL there's nothing you can do on
your end.

One way to filter bogons inbound is to take a BGP feed and do loose RPF
on your inbound interface(s).  That way you don't have to worry about
keeping your bogon list up to date, and you also reject a greater fraction
of spoofed packets, because there's a lot of space that's assigned but
not advertised.

Strict RPF on outbound is simply good citizenship and ought to be part
of every end-system's firewall rules.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards