[133203] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (David Ulevitch)
Mon Dec 6 10:34:25 2010
In-Reply-To: <F27BB651-5641-444F-BF0D-7FECFB74AF06@ianai.net>
Date: Mon, 6 Dec 2010 07:34:13 -0800
From: David Ulevitch <david@ulevitch.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick@ianai.net> wrot=
e:
> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
>
>> Besides having *alot* of bandwidth theres not really much you can do to
>> mitigate. Once you have the bandwidth you can filter (w/good hardware).
>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
>
> There is a variation on that theme. =A0Using a distributed architecture (=
anycast, CDN, whatever), you can limit the attack to certain nodes. =A0If y=
ou have 20 nodes and get attacked from a botnet China, only the users on th=
e same node as the Chinese use will be down. =A0The other 95% of your users=
will be fine. =A0This is true even if you have 1 Gbps per node, and the at=
tack is 100 Gbps strong.
I think this is only true if you run your BGP session on a different
path (or have your provider pin down a static route). If you are
using BGP and run it on the same path, the 100Gbps will cause massive
packet loss and likely cause your BGP session to drop which will just
move the attack to another site, rinse / repeat. I don't think very
many people run BGP over a separate circuit, but for some folks, it
might be appropriate.
I also recommend folks anycast with a /22 or /23 and then use BGP for
the /23 or /24 announcements and have their provider pin down the /22
at a few sites so that if all hell breaks loose and the /23 or /24 is
flapping and being dampened then you still have reachability with the
covering prefix. It also lets you harden and strengthen a few smaller
sites that have the /22 statically pinned down. I'm not sure if
people think the "cost" of doing this is worth it, jury still out for
us.
But as you and others have pointed out, not a lot of defense against
DDoS these days besides horsepower and anycast. :-)
-David
