[133293] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Thomas Mangin)
Wed Dec 8 10:10:44 2010
From: Thomas Mangin <thomas.mangin@exa-networks.co.uk>
In-Reply-To: <23035485.1291815970840.JavaMail.tomcat@fe-ps03>
Date: Wed, 8 Dec 2010 15:10:37 +0000
To: "alvaro.sanchez@adinet.com.uy" <alvaro.sanchez@adinet.com.uy>
Cc: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
A less common action is to use flowspec (if you have some Juniper gear) =
to drop only the attack and hopefully not any legitimate traffic.
What is really missing atm is a way to filter flowspec announcements =
(limit the number and make sure they are for routes the peer is =
announcing). Until this is sorted I believe flowspec will be a marginal =
solution.
Thomas
PLUG: http://code.google.com/p/exabgp/
On 8 Dec 2010, at 13:46, alvaro.sanchez@adinet.com.uy wrote:
> A very common action is to blackhole ddos traffic upstream by sending =
a=20
> bgp route to the next AS with a preestablished community indicating =
the=20
> traffic must be sent to Null0. The route may be very specific, in =
order=20
> to impact as less as possible. This needs previous coordination =
between=20
> providers.
> Regards.
>=20
>> ----Mensaje original----
>> De: rdobbins@arbor.net
>> Fecha: 08/12/2010 10:53=20
>> Para: "North American Operators' Group"<nanog@nanog.org>
>> Asunto: Re: Over a decade of DDOS--any progress yet?
>>=20
>>=20
>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>>=20
>>> One big problem (IMHO) of DDoS is that sources (the host of=20
> botnets) may be completely unaware that they are part of a DDoS. I do=20=
> not mean the bot machine, I mean the ISP connecting those.
>>=20
>> The technology exists to detect and classify this attack traffic, and=20=
> is deployed in production networks today.
>>=20
>> And of course, the legitimate owners of the botted hosts are=20
> generally unaware that their machine is being used for nefarious=20
> purposes.
>>=20
>>> In the other hand the target of a DDoS cannot do anything to =
stop=20
> to attack besides adding more BW or contacting one by one the whole=20
> path of providers to try to minimize the effect.
>>=20
>> Actually, there're lots of things they can do.
>>=20
>>> I know that this has many security concerns, but would it be =
good=20
> a signalling protocol between ISPs to inform the sources of a DDoS=20
> attack in order to take semiautomatic actions to rate-limit the =
traffic=20
> as close as the source? Of course that this is more complex that these=20=
> three or two lines, but I wonder if this has been considerer in the=20
> past.
>>=20
>> It already exists.
>>=20
>> =
-----------------------------------------------------------------------
>> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>>=20
>> Sell your computer and buy a guitar.
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
>=20
>=20
