Re: Over a decade of DDOS--any progress yet?

[Thomas Mangin <thomas.mangin () exa-networks co uk>]

On 6 Dec 2010, at 15:34, David Ulevitch wrote:

> On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick () ianai net> wrote:
> > On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
> >
> > > Besides having *alot* of bandwidth theres not really much you can do to
> > > mitigate. Once you have the bandwidth you can filter (w/good hardware).
> > > Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
> >
> > There is a variation on that theme.  Using a distributed architecture (anycast, CDN, whatever), you can limit the 
> > attack to certain nodes.  If you have 20 nodes and get attacked from a botnet China, only the users on the same node 
> > as the Chinese use will be down.  The other 95% of your users will be fine.  This is true even if you have 1 Gbps 
> > per node, and the attack is 100 Gbps strong.
>
> I think this is only true if you run your BGP session on a different
> path (or have your provider pin down a static route).  If you are
> using BGP and run it on the same path, the 100Gbps will cause massive
> packet loss and likely cause your BGP session to drop which will just
> move the attack to another site, rinse / repeat.  I don't think very
> many people run BGP over a separate circuit, but for some folks, it
> might be appropriate.

Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the 
BGP path.
So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link.

Thomas