Re: Vyatta as a BRAS

["Dobbins, Roland" <rdobbins () arbor net>]

On Jul 14, 2010, at 8:48 PM, Florian Weimer wrote:

> From or to your customers?

Both.

> Stopping customer-sourced attacks is probably a good thing for the Internet at learge.

Concur 100%.

>  And you can't combat attacks targeted at customers within your own network unless you've got very large WAN
> pipes, moving you into the realm of special-purpose hardware for other reasons.

Sure, you can, via S/RTBH, IDMS, et. al.  While DNS reflection/amplification attacks are used to create crushing 
volumes of attack traffic, and even smallish botnets can create high-volume attacks, most packet-flooding attacks are 
predicated on throughput - i.e., pps - rather than bandwidth, and tend to use small packets.  Of course, they can use 
*lots and lots* of small packets, and often do, but one can drop these packets via the various mechanisms one has 
available, then reach out to the global opsec community for filtering closer to the sources.

The thing is, with many DDoS attacks, the pps/bps/cps/tps required to disrupt the targets can be quite small, due to 
the unpreparedness of the defenders.  Many high-profile attacks discussed in the press such as the Mafiaboy attacks, 
the Estonian attacks, the Russian/Georgian/Azerbaijan attacks, the China DNS meltdown, and the RoK/USA DDoS attacks 
were all a) low-volume, b) low-throughput, c) exceedingly unsophisticated, and d) eminently avoidable via sound 
architecture, deployment of BCPs, and sound operational practices.

In fact, many DDoS attacks are quite simplistic in nature and many are low in bandwidth/throughput; the miscreants only 
use the resources necessary to achieve their goals, and due to the unpreparedness of defenders, they don't have a need 
to make use of overwhelming and/or complex attack methodologies.

This doesn't mean that high-bandwidth, high-throughput, and/or complex DDoS attacks don't occur, or that folks 
shouldn't be prepared to handle them; quite the opposite, we see a steady increase in attack volume, thoughput and 
sophistication at the high end.  But the fact of the matter is that many DDoS targets - and associated network 
infrastructure, and services such as DNS - are surprisingly fragile, and thus are vulnerable to surprisingly 
simple/small attacks, or even inadvertent/accidental attacks.

> Previously, this was really a no-brainer because you couldn't get PCI
> cards with the required interfaces, but with Ethernet everywhere, the
> bandwidths you can handle on commodity hardware will keep increasing.

Concur 100%.

> Eventually, you'll need special-purpose hardware only for a smallish
> portion at the top of the router market, or if you can't get the
> software with the required protocol support on other devices.

I believe that the days of software-based routers are numbered, period, due to the factors you describe.  Of course, 
the 'top of the router market' seems to keep moving upwards, despite many predictions to the contrary.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken