[133289] in North American Network Operators' Group
RE: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Dec 8 09:30:35 2010
From: Drew Weaver <drew.weaver@thenap.com>
To: "'alvaro.sanchez@adinet.com.uy'" <alvaro.sanchez@adinet.com.uy>,
"rdobbins@arbor.net" <rdobbins@arbor.net>, North American Operators' Group
<nanog@nanog.org>
Date: Wed, 8 Dec 2010 09:30:24 -0500
In-Reply-To: <23035485.1291815970840.JavaMail.tomcat@fe-ps03>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Yes, but this obviously completes the 'DDoS attack' and sends the signal th=
at the bully will win.
-Drew
-----Original Message-----
From: alvaro.sanchez@adinet.com.uy [mailto:alvaro.sanchez@adinet.com.uy]=20
Sent: Wednesday, December 08, 2010 8:46 AM
To: rdobbins@arbor.net; North American Operators' Group
Subject: Re: Over a decade of DDOS--any progress yet?
A very common action is to blackhole ddos traffic upstream by sending a=20
bgp route to the next AS with a preestablished community indicating the=20
traffic must be sent to Null0. The route may be very specific, in order=20
to impact as less as possible. This needs previous coordination between=20
providers.
Regards.
>----Mensaje original----
>De: rdobbins@arbor.net
>Fecha: 08/12/2010 10:53=20
>Para: "North American Operators' Group"<nanog@nanog.org>
>Asunto: Re: Over a decade of DDOS--any progress yet?
>
>
>On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>
>> One big problem (IMHO) of DDoS is that sources (the host of=20
botnets) may be completely unaware that they are part of a DDoS. I do=20
not mean the bot machine, I mean the ISP connecting those.
>
>The technology exists to detect and classify this attack traffic, and=20
is deployed in production networks today.
>
>And of course, the legitimate owners of the botted hosts are=20
generally unaware that their machine is being used for nefarious=20
purposes.
>
>> In the other hand the target of a DDoS cannot do anything to stop=20
to attack besides adding more BW or contacting one by one the whole=20
path of providers to try to minimize the effect.
>
>Actually, there're lots of things they can do.
>
>> I know that this has many security concerns, but would it be good=20
a signalling protocol between ISPs to inform the sources of a DDoS=20
attack in order to take semiautomatic actions to rate-limit the traffic=20
as close as the source? Of course that this is more complex that these=20
three or two lines, but I wonder if this has been considerer in the=20
past.
>
>It already exists.
>
>-----------------------------------------------------------------------
>Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Sell your computer and buy a guitar.
>
>
>
>
>
>
