[120821] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Jan 5 00:32:46 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 05:29:05 +0000
In-Reply-To: <d066472f1001042119y2467638bt88c650f785d4a7f0@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 12:19 PM, Rick Ernst wrote:
> I'd argue just the opposite. If your monitoring/mitigation system change=
s dependent on the situation (normal vs under attack), you are adding compl=
exity to the system. =20
> "What mode is the system in right now? Is this customer having connectiv=
ity issues because of a state change in the network? etc."
I strongly disagree with this, except for properties which are under sustai=
ned attack 24/7. If one has constructed one's detection/classification/tra=
ceback/mitigation system properly, one always knows at a glance the state o=
f the system.
Otherwise, whenever there's any issue whatsoever with the properties under =
protection, one must try and prove a negative - i.e., that the mitigation s=
olution isn't causing the problem. Happens every time, heh.
> I know you said "generally", but if I'm seeing 200Kpps from a.b.c.d, I do=
n't care if a.b.c.d is spoofed. I want the traffic blocked from the guts of=
my network.
Not if it's legit, you don't, or if the attacker is spoofing, say, the IPs =
of the root nameservers, or the TLDs, or an e-commerce/supply-chain partner=
. . . or if the attack is originating behind a broadband mega-proxy, or a =
mobile CGN.
;>
Also, if you've a variety of tools at your disposal, like S/RTBH and/or flo=
w-spec, and then more sophisticated (and expensive) tools like IDMS, the fr=
eedom to choose the least intrusive/most situationally-appropriate tool to =
mitigate a given attack is essential for resource preservation and the abil=
ity to oversubscribe the more sophisticated tools.
> Note that my original question was in the context of "a D/DoS composed of=
lots of itty-bitty packets". Other attack mechanisms do not necessarily l=
end themselves to "chop 'em off at the knees."
Absolutely, which is where the situationally-specific selection of tools/mo=
des comes into play.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
