nanog mailing list archives

Re: anycast and ddos

From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sat, 07 May 2005 01:38:18 +0000 (GMT)



On Fri, 6 May 2005, Randy Bush wrote:


it seems that anycasting was quite insufficient to protect
netsol's service from being severely damaged (udp dead, tcp
worked) for a considerable length of time by a ddos [0] last
week [1].  it would be very helpful to other folk concerned
with service deployment to understand how the service in
question was/is anycast, and what might be done differently
to mitigate exposure of similar services.


was the service in question anycast'ed? I got the impression that the
worldnic servers were all NON-anycast... I only see the /21 covering these
servers through 10515 (which is verisign as I recall?)

Judging by latency I even think they are in the northern virginia area...
I also noted:

worldnic.com.           86400   IN      NS      ns1.netsol.com.
worldnic.com.           86400   IN      NS      ns2.netsol.com.
worldnic.com.           86400   IN      NS      ns3.netsol.com.

;; ADDITIONAL SECTION:
ns1.netsol.com.         86400   IN      A       216.168.229.228
ns2.netsol.com.         86400   IN      A       216.168.229.229
ns3.netsol.com.         86400   IN      A       216.168.229.229

why have 3 records and 2 ips? odd. You'd think they would have more ips in
that /21 or other /24's to allocate from, just in case they had to
jettison 1 address which was getting pounded :( (not that these were
getting attacked per-say, but still)

[0] - as it seems that the ddos sources were ip address
      spoofed (which is why the service still worked for
      tcp), i owe paul an apology for downplaying the
      immediacy of the need for source address filtering.


It's also not clear that the sources were spoofed, if as Patrick says they
put in a riverhead(s) (which isn't too far fetched) the normal mode for
'protection' of DNS is to:
1) truncate
2) rate-limit - and cache (I think it caches atleast, I know it will go
into proxy mode and rate-limit)

truncate forces TCP which allows RHG to verify the source address is
really asking to chat, rate-limit function keeps 'bad actors' from
beatting the hell out of the protected resource.

So, without more info from NetSol (seems not to be forthcoming?) about the
mix of attack traffic (which the RHG will provide) it's hard to state
definitively that the attack was 'mostly spoofed' :(

Current thread:

anycast and ddos Randy Bush (May 06)
- Re: anycast and ddos Patrick W. Gilmore (May 06)
- Re: anycast and ddos Christopher L. Morrow (May 06)
  - Re: anycast and ddos Randy Bush (May 07)
    - Re: anycast and ddos Randy Bush (May 07)
    - Re: anycast and ddos Christopher L. Morrow (May 07)
    - NetSol disaster (was Re: anycast and ddos) Randy Bush (May 07)
- Message not available
  - Re: anycast and ddos Hank Nussbacher (May 08)
    - Re: anycast and ddos Rodney Joffe (May 08)
    - Re: anycast and ddos Hank Nussbacher (May 08)
- <Possible follow-ups>
- Re: anycast and ddos Fergie (Paul Ferguson) (May 06)
  - Re: anycast and ddos Kim Onnel (May 06)
    - Re: anycast and ddos Christopher L. Morrow (May 06)

(Thread continues...)