nanog mailing list archives
Re: UDP port 80 DDoS attack
From: Joe Greco <jgreco () ns sol net>
Date: Tue, 7 Feb 2012 08:28:25 -0600 (CST)
Since when are policers implemented in ram? You're talking FPGA if you want to be able to make forwarding/filtering decisions assuming it's possible which it isn't you're 1 million dollar boxes suddenly become hundred million dollar boxes. Then there's v6 info..
Of course it's not possible ... if you use a crummy design. It's trivial to come up with non-completely-crummy designs. For example, adding a front-end where you take a hash of source-ip/dest-ip and run it through a smallish hash table, you can use that as a filter to eliminate a lot of traffic that's just normal and non-interesting. You want to take a closer look at the traffic that's heaviest (read: most hits) or new and significant (read: diff against an hour ago). You probably don't want to do this just per-IP, but likely also per-network. And you probably don't want to use just this one technique, you want to combine it with others. And you probably need to consider the types of attacks that are known, likely, etc., and design accordingly, because this one little example I've provided is just one part of a comprehensive solution, but it is capable of dealing with any amount of traffic and it would be a very useful filter to start pulling out potentially interesting stuff. This stuff isn't *easy*. Fine. But it certainly *is* possible. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: UDP port 80 DDoS attack, (continued)
- Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 08)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 08)
- Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
- Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
- Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 05)
- Re: UDP port 80 DDoS attack dennis (Feb 06)
- Re: UDP port 80 DDoS attack Sven Olaf Kamphuis (Feb 06)
- Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 06)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 06)
- Re: UDP port 80 DDoS attack Joe Greco (Feb 07)
- RE: UDP port 80 DDoS attack George Bonser (Feb 07)