RE: Effective ways to deal with DDoS attacks?

["Barry Raveendran Greene" <bgreene () cisco com>]

Be mindful that uRPF Strict Mode was created to help scale BCP 38 filtering.
If you have 1000 lease line customers and can use uRFP Strict Mode on 80% of
those customers, that is 80% fewer BCP38 ACLs that you need to manage.

For the other 20% you have uRFP + BGP tweaks or plain old ACLs. But as Chris
inferred, that 20% where you cannot use simple uRPF is also the 20% most
difficult customers.

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Iljitsch van Beijnum
> Sent: Sunday, May 05, 2002 12:44 AM
> To: Christopher L. Morrow
> Cc: nanog () merit edu
> Subject: Re: Effective ways to deal with DDoS attacks?
>
>
>
> On Sun, 5 May 2002, Christopher L. Morrow wrote:
>
> > > > like with single homed customers. The only time when those sets of
> > > > prefixes is NOT the same is for a backup connection. But if
> a connection
>
> > > Not always the case, customer behaviour can not be accurately modeled.
>
> > I was hoping someone else might mention this, BUT what about the case of
> > customers providing transit for outbound but not inbound
> traffic for their
> > customers? We have many, many cases of customers that are 'default
> > routing' for their customers that get inbound traffic down alternate
> > customers or peers or wherever...
>
> Is there a compelling reason you should allow this? If yes, you can't use
> uRPF and you have to install an acl to do sanity checking on the
> customer's source addresses. If no, they'll have to announce those routes
> to you. If they set the no export community they still won't get any
> inbound traffic to speak of.
>
> > uRPF seems like a not so good solution
> > for these instances :( especially since some of these are our worst
> > abusers :(
>
> Well if these are your worst abusers, it seems to me uRPF is exactly what
> those customers need.  ;-)