Re: BGP FlowSpec

[Martin Bacher <ti14m028 () technikum-wien at>]

> Am 02.05.2016 um 15:03 schrieb Alexander Maassen <outsider () scarynet org>:
>
> On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:
> > We use it effectively in a layered model where "Principle of Minimal
> > Intervention" applies, allowing attack mitigation and traffic diversion
> > in the most optimal place (e.g., at network ingress), and only scrubbing
> > or diverting traffic when necessary.
>
> Sorry to say, but the most optimal place for ddos mitigation is at network
> egress of origin. What comes in mind regarding that is the ability for
> target ASN telling source ASN to stop sending packets from a specific
> (let's say /29) in the case of a DDoS (with appropiate security measures
> in place off course).
>
> Because, let's face it, why would a target of a ddos need to nullroute
> itself?

Well, I think ingress filtering at the Internet edge (see BCP38 and BCP84) would be the best approach. But we as 
Internet community are clearly failing in that area. And origin ASes of amplification and reflection attacks are most 
probably not able to detect DNS ANY queries or NTP monlist queries at a low rate without DPI. The networks used for 
reflection and amplification may be able to detect an ongoing attack and they will then hopefully fix their 
implementations and not deploy egress filters.

So the question is how to get rid of source IP address spoofing at all? I don’t see any chance by now to push ASes, 
which are not filtering properly, to implement ingress filtering. What could help is to add session handling to UDP 
based protocols as proposed by Christian Rossow and implemented by Google in Quic. But that’s again just a workaround 
and may create new problems because of backwards compatibility issues. 

So filtering as precise as possible and as close as possible to the attack source is maybe the best option we have at 
the moment.

>