[133291] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Thomas Mangin)
Wed Dec 8 10:04:47 2010
From: Thomas Mangin <thomas.mangin@exa-networks.co.uk>
In-Reply-To: <AANLkTikby5S1BbXj+zchuXQ94Wkw0Ehtbgj2OwP4Za=o@mail.gmail.com>
Date: Wed, 8 Dec 2010 15:04:28 +0000
To: David Ulevitch <david@ulevitch.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6 Dec 2010, at 15:34, David Ulevitch wrote:
> On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
>> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
>>=20
>>> Besides having *alot* of bandwidth theres not really much you can do =
to
>>> mitigate. Once you have the bandwidth you can filter (w/good =
hardware).
>>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of =
pipes.
>>=20
>> There is a variation on that theme. Using a distributed architecture =
(anycast, CDN, whatever), you can limit the attack to certain nodes. If =
you have 20 nodes and get attacked from a botnet China, only the users =
on the same node as the Chinese use will be down. The other 95% of your =
users will be fine. This is true even if you have 1 Gbps per node, and =
the attack is 100 Gbps strong.
>=20
> I think this is only true if you run your BGP session on a different
> path (or have your provider pin down a static route). If you are
> using BGP and run it on the same path, the 100Gbps will cause massive
> packet loss and likely cause your BGP session to drop which will just
> move the attack to another site, rinse / repeat. I don't think very
> many people run BGP over a separate circuit, but for some folks, it
> might be appropriate.
Running BGP over a different circuit will cause some blackholing of the =
traffic if the real link is down but not the BGP path.
So IIMHO the best way is still a good router with some basic QOS to =
protect BGP on the link.
Thomas
