nanog mailing list archives
New Solution: (was: Re: Counter DoS)
From: Deepak Jain <deepak () ai net>
Date: Thu, 11 Mar 2004 17:17:35 -0500
Here is a solution I would like to propose -- it is not as set-and-forget as network operators like, but we do know that some of our customers have a lot of expertise with this stuff, and taking advantage of that value helps. This is along the categories of collateral damage, scorched earth and generally punitive action for DDOS-compromised hosts. Because not everyone will read every line, I am going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. This will be backfire if its used for Spam blackholes, it will really only have an affect in the narrower DDOS space.
Along with the idea of blackhole communities. I do NOT recommend it be turned on across-the-board for every customer, and once it has reached penetration, say 20-30% of the internet backbones use this feature -- it should be phased back and only be an ICB item. (called Planned Obl.)
Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried.
The theory - It creates an actual, measured response to customer machines being vulnerable. It makes parts ( ideally large parts ) of the internet unavailable to those with vulnerable computers.
The bad side - People could black hole important sites, until the ALL-CAPS rule is applied.
The somewhat less bad, bad side - Most of these /32s wouldn't be removed until cable provider called the blackholing provider.
The reality is that these filters are probably created today by backbone security folks, so the question is how fast you want the injections/rejections.
IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. Comments? Deepak
Current thread:
- Re: Counter DoS, (continued)
- Re: Counter DoS Sean Donelan (Mar 11)
- Re: Counter DoS Brandon Butterworth (Mar 11)
- Re: Counter DoS Hank Nussbacher (Mar 11)
- RE: Counter DoS Pendergrass, Greg (Mar 11)
- Re: Counter DoS Etaoin Shrdlu (Mar 11)
- RE: Counter DoS Michael . Dillon (Mar 11)
- RE: Counter DoS Pendergrass, Greg (Mar 11)
- Re: Counter DoS Rachael Treu (Mar 11)
- RE: Counter DoS Drew Weaver (Mar 11)
- Re: Counter DoS Gregory Taylor (Mar 11)
- New Solution: (was: Re: Counter DoS) Deepak Jain (Mar 11)
- Re: New Solution: (was: Re: Counter DoS) Barney Wolff (Mar 11)
- Re: New Solution: (was: Re: Counter DoS) James (Mar 11)
- Re: Counter DoS Gregory Taylor (Mar 11)
- RE: Counter DoS Priscilla Oppenheimer (Mar 11)
- Re: Counter DoS Eric Kuhnke (Mar 11)