[133198] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Dec 6 09:10:50 2010
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <1291626475.30568.1618.camel@wks02>
Date: Mon, 6 Dec 2010 09:10:21 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
> Besides having *alot* of bandwidth theres not really much you can do =
to
> mitigate. Once you have the bandwidth you can filter (w/good =
hardware).
> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of =
pipes.
There is a variation on that theme. Using a distributed architecture =
(anycast, CDN, whatever), you can limit the attack to certain nodes. If =
you have 20 nodes and get attacked from a botnet China, only the users =
on the same node as the Chinese use will be down. The other 95% of your =
users will be fine. This is true even if you have 1 Gbps per node, and =
the attack is 100 Gbps strong.
> Spoofed attacks have reduced significally probably because the use of
> RPF. However we still see these from time to time.
I disagree. Spoofed attacks have reduced because the botnets do not =
need to spoof to succeed in some attacks. RPF is woefully inadequately =
applied.
For attacks which require spoofing, it is still trivial to generate 10s =
of Gbps of spoofed packets.
> I do not see a real solution to this problem right now...theres not =
much
> you can do about the unwilligness of users to keep their software/OS
> up2date and deploy anti-virus/anti-malware software (and keep it
> up2date).
> Some approaches have been made like cutting of internet access for =
users
> which have been identified by ISPs for beeing member of some
> botnet/beeing infected.
> This might be the only long-term solution to this probably. There is
> just no patch for human stupidity.
Quarantining end users sounds like a good idea to me. But I Am Not An =
ISP. :)
The idea of auto-updates at the OS level like in iOS (as opposed to =
big-I "IOS") may be a solution for many people. Supposedly OSX is going =
that route. But there will be those who do not want to get their =
software -only- through a walled garden like iTunes.
Fortunately, the motivations do have some alignment. The users who do =
not need full access to their machines are the ones who are more likely =
to get confused & infected, and the ones who want someone to "protect" =
them more, which makes OS-level auto-update more appealing. So that may =
help, even if it is not a panacea.
Wish us luck!
--=20
TTFN,
patrick
