nanog mailing list archives
Re: WANTED: ISPs with DDoS defense solutions
From: Paul Vixie <vixie () vix com>
Date: 05 Aug 2003 05:07:15 +0000
chris () UU NET ("Christopher L. Morrow") writes:
There are many cases in which the backbone can't determine the 'proper' traffic an edge is sending in.
i'd like to discuss these, or see them discussed. networks have edges, even if some networks are "edge networks" and some are "backbone networks." bcp38 talks about various kinds of "loose" rpf, for example not accepting a source for which there's no corresponding nondefault route.
Not to mention the problems of filtering on an edge device with 100's or 1000's of interfaces. The proper and simple place for this filtering is as close to the end device as possible. Backbones just aren't made to filter traffic, edge networks are.
so, the problem is transitive. you might have a multihomed customer whose network spans some of the same peerography as yours, and if you both use hot potato there will be path assymetry, such that your route back to a source might be through pop A while they deliver that source's traffic to you at pop B. your only recourse is to get them to filter at their edge, which you hope is less ambiguous than yours. but they might have the same situation with their downstream. and you're not requiring them to do edge filtering as a contract/peering term, nor are you requiring them to require their downstreams to do so. this means the problem goes from "transitive" to "laundered" in about one AS hop or so. i don't consider this a healthy situation, and i'd like to hear you list the kinds of rpf you know of and why none can be used on a "backbone". -- Paul Vixie
Current thread:
- Re: WANTED: ISPs with DDoS defense solutions, (continued)
- Re: WANTED: ISPs with DDoS defense solutions E.B. Dreger (Aug 03)
- Re: WANTED: ISPs with DDoS defense solutions E.B. Dreger (Aug 03)
- Re: WANTED: ISPs with DDoS defense solutions E.B. Dreger (Aug 01)
- Re: WANTED: ISPs with DDoS defense solutions Vadim Antonov (Aug 02)
- Re: WANTED: ISPs with DDoS defense solutions Rob Thomas (Aug 02)
- Re: WANTED: ISPs with DDoS defense solutions Scott Francis (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions bdragon (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Jared Mauch (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions bdragon (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Christopher L. Morrow (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Paul Vixie (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Christopher L. Morrow (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Vadim Antonov (Aug 05)
- Re: WANTED: ISPs with DDoS defense solutions bdragon (Aug 05)
- Re: WANTED: ISPs with DDoS defense solutions Christopher L. Morrow (Aug 05)
- Re: WANTED: ISPs with DDoS defense solutions Randy Bush (Aug 06)
- opsec IETF draft (was Re: WANTED: ISPs with DDoS defense solutions) George Jones (Aug 07)
- Re: WANTED: ISPs with DDoS defense solutions Jared Mauch (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Randy Bush (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Jack Bates (Aug 04)
- Re: WANTED: ISPs with DDoS defense solutions Jared Mauch (Aug 04)