[127788] in North American Network Operators' Group
Re: Vyatta as a BRAS
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jul 14 10:12:23 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Wed, 14 Jul 2010 14:12:07 +0000
In-Reply-To: <82hbk2nphu.fsf@mid.bfk.de>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 14, 2010, at 8:48 PM, Florian Weimer wrote:
> From or to your customers?
Both.
> Stopping customer-sourced attacks is probably a good thing for the Intern=
et at learge.
Concur 100%.
> And you can't combat attacks targeted at customers within your own netwo=
rk unless you've got very large WAN
> pipes, moving you into the realm of special-purpose hardware for other re=
asons.
Sure, you can, via S/RTBH, IDMS, et. al. While DNS reflection/amplificatio=
n attacks are used to create crushing volumes of attack traffic, and even s=
mallish botnets can create high-volume attacks, most packet-flooding attack=
s are predicated on throughput - i.e., pps - rather than bandwidth, and ten=
d to use small packets. Of course, they can use *lots and lots* of small p=
ackets, and often do, but one can drop these packets via the various mechan=
isms one has available, then reach out to the global opsec community for fi=
ltering closer to the sources.
The thing is, with many DDoS attacks, the pps/bps/cps/tps required to disru=
pt the targets can be quite small, due to the unpreparedness of the defende=
rs. Many high-profile attacks discussed in the press such as the Mafiaboy =
attacks, the Estonian attacks, the Russian/Georgian/Azerbaijan attacks, the=
China DNS meltdown, and the RoK/USA DDoS attacks were all a) low-volume, b=
) low-throughput, c) exceedingly unsophisticated, and d) eminently avoidabl=
e via sound architecture, deployment of BCPs, and sound operational practic=
es.
In fact, many DDoS attacks are quite simplistic in nature and many are low =
in bandwidth/throughput; the miscreants only use the resources necessary to=
achieve their goals, and due to the unpreparedness of defenders, they don'=
t have a need to make use of overwhelming and/or complex attack methodologi=
es.
This doesn't mean that high-bandwidth, high-throughput, and/or complex DDoS=
attacks don't occur, or that folks shouldn't be prepared to handle them; q=
uite the opposite, we see a steady increase in attack volume, thoughput and=
sophistication at the high end. But the fact of the matter is that many D=
DoS targets - and associated network infrastructure, and services such as D=
NS - are surprisingly fragile, and thus are vulnerable to surprisingly simp=
le/small attacks, or even inadvertent/accidental attacks.
> Previously, this was really a no-brainer because you couldn't get PCI
> cards with the required interfaces, but with Ethernet everywhere, the
> bandwidths you can handle on commodity hardware will keep increasing.
Concur 100%.
> Eventually, you'll need special-purpose hardware only for a smallish
> portion at the top of the router market, or if you can't get the
> software with the required protocol support on other devices.
I believe that the days of software-based routers are numbered, period, due=
to the factors you describe. Of course, the 'top of the router market' se=
ems to keep moving upwards, despite many predictions to the contrary.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
