nanog mailing list archives
Re: Level3 routing issues?
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sun, 26 Jan 2003 13:48:50 +0100 (CET)
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
Keep in mind that these problems aren't from 'well behaved' hosts, and 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED.... classic DoS attack scenario. :(
I understand the evils, but are we really at the mercy of situations like this? Of course we can firewall the common sense things ahead of time,
I don't think this one could have been reasonably firewalled using a non-stateful firewall (such as a simple router access list): the port is unpriviliged so it will be used as a source port for regular UDP traffic such as DNS queries. However, rate limiting UDP would have helped. This is a reasonable thing to do for customers that have a lot of bandwidth but don't run high-bandwidth UDP protocols.
we can jump right in and block evil traffic when it happens, after it takes down our network but what sorts of things can we design into our networks today to help with these situations?
Rate limit everything you can rate limit, make sure your routers and switches have enough CPU even if interfaces are saturated with minimum-sized packets to random destinations. But this type of rDOS (reversed denial of service) is easy: you can simply filter the offending systems. If it's the other way around (DOS) there is not much you can do. To really solve this we need a mechanism for destination hosts to authorize source hosts to send data in such a way that intermediate routers/firewalls can check this authorization and drop unauthorized packets.
Current thread:
- Re: Level3 routing issues?, (continued)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? David Howe (Jan 28)
- VPN clients and security models alex (Jan 28)
- Re: VPN clients and security models Valdis . Kletnieks (Jan 28)
- Re: VPN clients and security models David Howe (Jan 28)
- Re: Level3 routing issues? Iljitsch van Beijnum (Jan 26)
- Re: Level3 routing issues? Robert A. Hayden (Jan 25)
- Re: Level3 routing issues? Jack Bates (Jan 25)
- Re: Level3 routing issues? Daniel Senie (Jan 25)
- Re: Level3 routing issues? Jared Mauch (Jan 25)
- Re: Level3 routing issues? Avleen Vig (Jan 25)
- Re: Level3 routing issues? Jack Bates (Jan 25)
- Re: Level3 routing issues? Alex Rubenstein (Jan 25)
- Re: Level3 routing issues? C. Jon Larsen (Jan 25)
- Re: Level3 routing issues? Avleen Vig (Jan 25)
- Re: Level3 routing issues? Grant A. Kirkwood (Jan 25)