nanog mailing list archives

Re: anycast and ddos

From: Kim Onnel <karim.adel () gmail com>
Date: Sat, 7 May 2005 03:48:46 +0300


I've looked around most DDoS prevention methods outhere, i can safely
say that alot of them usually just repeat each other, for me it all
boils down to

1) CoPP and aggresive SPD to protect the routing/management when
infrastructure is attacked.

2) Getting Riverhead, which is a shame if they had it and it didnt save the day.

3) Netflow to detect the attacking sources/dst and using Filtering and
blackholing methods. (Arbor, open-source tools...)

So, if they had all that in place and still they were brought down,
then i would seriously like to look for new/different solutions
applied or perhaps someone on the list could give us his experience in
a case of a heavy ddos where it was easily mitigated with the above.

Regards

On 5/6/05, Fergie (Paul Ferguson) <fergdawg () netzero net> wrote:



As one of the co-authors of RFC-2827, I'm assuming you
meant me -- if so, no apology needed.  :-)

I'm just sorry to have to see a "weakness" exploited which
could easily be "fixed"....

- ferg

ps. This also seems like a good time to mention (again)
"The Spoofer Project" at MIT:

 http://momo.lcs.mit.edu/spoofer/

[and]

 http://momo.lcs.mit.edu/spoofer/summary.php


-- Randy Bush <randy () psg com> wrote:

it seems that anycasting was quite insufficient to protect
netsol's service from being severely damaged (udp dead, tcp
worked) for a considerable length of time by a ddos [0] last
week [1].  it would be very helpful to other folk concerned
with service deployment to understand how the service in
question was/is anycast, and what might be done differently
to mitigate exposure of similar services.

anyone have clues or is this ostrich city?  maybe a preso at
nanog would be educational.

randy

---

[0] - as it seems that the ddos sources were ip address
      spoofed (which is why the service still worked for
      tcp), i owe paul an apology for downplaying the
      immediacy of the need for source address filtering.

[1] - netsol is not admitting anything happened, of course
      <sigh>.  but we all saw the big splash as it hit the
      water, the bubbles as it sank, and the symptoms made
      the cause pretty clear.

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

Current thread:

Re: anycast and ddos, (continued)
- Re: anycast and ddos Patrick W. Gilmore (May 06)
- Re: anycast and ddos Christopher L. Morrow (May 06)
  - Re: anycast and ddos Randy Bush (May 07)
    - Re: anycast and ddos Randy Bush (May 07)
    - Re: anycast and ddos Christopher L. Morrow (May 07)
    - NetSol disaster (was Re: anycast and ddos) Randy Bush (May 07)
- Message not available
  - Re: anycast and ddos Hank Nussbacher (May 08)
    - Re: anycast and ddos Rodney Joffe (May 08)
    - Re: anycast and ddos Hank Nussbacher (May 08)
- Re: anycast and ddos Fergie (Paul Ferguson) (May 06)
  - Re: anycast and ddos Kim Onnel (May 06)
    - Re: anycast and ddos Christopher L. Morrow (May 06)
    - Re: anycast and ddos Sean Donelan (May 06)
    - Re: anycast and ddos Christopher L. Morrow (May 06)