[133204] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Dec 6 10:41:00 2010
In-Reply-To: <AANLkTikby5S1BbXj+zchuXQ94Wkw0Ehtbgj2OwP4Za=o@mail.gmail.com>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Mon, 6 Dec 2010 10:40:20 -0500
To: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 6, 2010, at 10:34 AM, David Ulevitch <david@ulevitch.com> wrote:
> On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick@ianai.net> wro=
te:
>> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
>>=20
>>> Besides having *alot* of bandwidth theres not really much you can do to
>>> mitigate. Once you have the bandwidth you can filter (w/good hardware).
>>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.=
>>=20
>> There is a variation on that theme. Using a distributed architecture (an=
ycast, CDN, whatever), you can limit the attack to certain nodes. If you ha=
ve 20 nodes and get attacked from a botnet China, only the users on the same=
node as the Chinese use will be down. The other 95% of your users will be f=
ine. This is true even if you have 1 Gbps per node, and the attack is 100 G=
bps strong.
>=20
> I think this is only true if you run your BGP session on a different
> path (or have your provider pin down a static route).
You are assuming many things - such as the fact bgp is used at all.
But yes, of course you have to ensure the attack traffic does not move when y=
ou get attacked or you end up with a domino effect that takes out your entir=
e infrastructure.
> But as you and others have pointed out, not a lot of defense against
> DDoS these days besides horsepower and anycast. :-)
Not just anycast. I said distributed architecture. There are more ways to d=
istribute than anycast.
Not everything is limited to 13 IP addresses at the GTLDs, David. :-)
--=20
TTFN,
patrick
