Re: DDoS Mitigation Survey

[Lumin Shi <luminshi () cs uoregon edu>]

Hi Roland,

Thank you for your comments and resources.  I think you may have
misunderstood our email (we could've made our email more clear --
apologies).

The following is our explanation if we interpreted your email correctly.

What we meant by "may not have necessary capacity" is that routers do not
have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules
against large-scale DDoS attacks without 1) incurring major collateral
damage (e.g., deploy /16 source-based rules instead of /32 so that more
DDoS traffic can be filtered while using less CAM/TCAM space), or 2)
performance penalties that are introduced by deploying more filters than a
router's data plane can support (i.e., data plane to control plane I/O
limitation).

We believe DDoS mitigation based on layer 3 and/or 4 information can be
fine-grain. As a matter of fact, when we referred to fine-grained traffic
filtering in our original email, we meant DDoS mitigation based on layer 3
and 4 information.

I hope this addresses your concerns.

Best,
Lumin








On Tue, Jan 14, 2020 at 2:31 PM Dobbins, Roland <Roland.Dobbins () netscout com>
wrote:

> On 14 Jan 2020, at 1:56, Lumin Shi wrote:
>
> > We believe that many routers on the Internet
> > today may not have the necessary capacity to perform fine-grained
> > traffic
> > filtering, especially when facing a large-scale DDoS attack with or
> > without
> > IP spoofing.
>
> There are literally decades of information on these topics available
> publicly.  Router and switch ACLs (both static and dynamically-updated
> via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems
> (IDMSes; full disclosure, I work for a a vendor of such systems), et.
> al. are all used to mitigate DDoS attacks.
>
> Your comments about routers not having the 'capacity' (I think you mean
> capability) to filter traffic due to a lack of granularity are
> demonstrably inaccurate.  While it's always useful to be able to parse
> into packets as deeply as practicable in hardware, layer-4 granularity
> has been and continues to be useful in mitigating DDoS attacks on an
> ongoing basis.  Whether or not the traffic in question is spoofed is
> irrelevant, in this particular context.
>
> Here are some .pdf presentations on the general topic of DDoS
> mitigation:
>
> <https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
>
> There are lots of write-ups and videos of presentations given at
> conferences like NANOG which address these issues; they can easily be
> located via the use of search engines.
>
> --------------------------------------------
> Roland Dobbins <roland.dobbins () netscout com>