nanog mailing list archives

Re: UDP port 80 DDoS attack

From: Keegan Holley <keegan.holley () sungard com>
Date: Mon, 6 Feb 2012 23:58:42 -0500

2012/2/6 Jeff Wheeler <jsw () inconcepts biz>

On Mon, Feb 6, 2012 at 8:43 PM, Sven Olaf Kamphuis <sven () cb3rob net>
wrote:

there is a fix for it, it's called "putting a fuckton of ram in -most-
routers on the internet" and keeping statistics for each destination
ip:destination port:outgoing interface so that none of them individually

can

(entirely/procentually compared to other traffic) flood the outgoing
interface on that router... end result, if enough routers are structured
like that, is that ddos attacks will be come completely useless.


There are two obvious problems with your approach.

First, adding the policers you suggest, at the scale needed, is a
little harder than you imagine.  It's not a simple matter of the cost
of RAM but also power/heat density per port.


Since when are policers implemented in ram?  You're talking FPGA if you
want to be able to make forwarding/filtering decisions assuming it's
possible which it isn't you're 1 million dollar boxes suddenly become
hundred million dollar boxes.  Then there's v6 info..


Second, if you re-engineer every router on the Internet to prevent an
interface from being congested by malicious flow(s) destined for one
particular destination IP:port, then DDoS attacks will simply target
multiple ports or multiple destination IP addresses that are likely to
traverse a link they are able to congest.



Not to mention that the routers themselves become an attack vector.  This
cache will have a finite limit because there's no such thing as an infinite
amount of cache among other flaws.  When that limit is reached it will do
something no one want's it to do and that will become the new DDOS attack.


If you want to dramatically increase the cost of routers in order to
solve the problem of DDoS with one deft (and expensive) move, you have
to imagine that the people behind DDoS attacks aren't complete idiots,
and will actually spend some time thinking about how to defeat your
system.

Not to mention cost?  You're not going to get a tier I ISP to upgrade to

this new super router (assuming it's possible to build such a things)
without an act of congress or at least the FCC.  They won't even spend
enough on fiber to bring broadband into rural areas.

Current thread:

Re: UDP port 80 DDoS attack, (continued)
- - - Re: UDP port 80 DDoS attack bas (Feb 08)
    - Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 08)
    - Re: UDP port 80 DDoS attack Keegan Holley (Feb 08)
    - Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
    - Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
    - Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
    - Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 05)
    - Re: UDP port 80 DDoS attack dennis (Feb 06)
    - Re: UDP port 80 DDoS attack Sven Olaf Kamphuis (Feb 06)
    - Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 06)
    - Re: UDP port 80 DDoS attack Keegan Holley (Feb 06)
    - Re: UDP port 80 DDoS attack Joe Greco (Feb 07)
    - RE: UDP port 80 DDoS attack George Bonser (Feb 07)
- Re: UDP port 80 DDoS attack Matthew Palmer (Feb 05)
- Re: UDP port 80 DDoS attack John Kristoff (Feb 10)