[121494] in North American Network Operators' Group
RE: 2009 Worldwide Infrastructure Security Report available for
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Jan 21 06:35:57 2010
Date: Thu, 21 Jan 2010 13:34:51 +0200 (EET)
From: Pekka Savola <pekkas@netcore.fi>
To: Stefan Fouant <sfouant@shortestpathfirst.net>
In-Reply-To: <017a01ca99e5$c4dcddd0$4e969970$@net>
Cc: 'NANOG list' <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 20 Jan 2010, Stefan Fouant wrote:
> Completely agree on the disturbing observation of the increase in
> rate-limiting as a primary mitigation mechanism for dealing with DDoS.  I've
> seen more and more people using this as a mitigation strategy, against my
> advice.  For anyone interested in more information on the topic, and why
> rate-limiting is akin to cutting your foot off, I highly recommend you take
> a look at the paper "Effectiveness of Rate-Limiting in Mitigating Flooding
> DoS Attacks" presented by Jarmo Molsa at the Third IASTED International
> conference.
Thanks to Arbor for collecting the report and your observations.
One thing I found extremely strange is that almost 50% report they use 
BCP38/Strict uRPF at peering edge, yet only about 33% use it in 
customer direction. (Figure 13, p20)
I wonder if peering edge refers to "drop your own addresses" or real 
strict uRPF (or the like)?
If not I'm curious if this is for real, and how in earth they're doing 
it, especially given that in Fig 15 (p22) shows they don't implement 
BGP prefix filtering.  If you can't filter BGP, how could you filter 
packets? Based on my experience, even if you filter BGP, you may not 
be able to filter packets except in simple scenarios.
-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings