[133295] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Arturo Servin)
Wed Dec 8 10:33:15 2010
From: Arturo Servin <arturo.servin@gmail.com>
Date: Wed, 8 Dec 2010 13:33:01 -0200
In-Reply-To: <mailman.8112.1291821147.813.nanog@nanog.org>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
> Date: Wed, 8 Dec 2010 12:53:51 +0000
> From: "Dobbins, Roland" <rdobbins@arbor.net>
> Subject: Re: Over a decade of DDOS--any progress yet?
> To: North American Operators' Group <nanog@nanog.org>
> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net>
> Content-Type: text/plain; charset=3D"us-ascii"
>=20
>=20
> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>=20
>> One big problem (IMHO) of DDoS is that sources (the host of =
botnets) may be completely unaware that they are part of a DDoS. I do =
not mean the bot machine, I mean the ISP connecting those.
>=20
> The technology exists to detect and classify this attack traffic, and =
is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks =
or just watching the attacks going out?
=09
>=20
> And of course, the legitimate owners of the botted hosts are generally =
unaware that their machine is being used for nefarious purposes.
>=20
>> In the other hand the target of a DDoS cannot do anything to =
stop to attack besides adding more BW or contacting one by one the whole =
path of providers to try to minimize the effect.
>=20
> Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your =
content. If 100 Mbps are reaching your input interface of 10Mbps there =
is not much that you can do.
>=20
>> I know that this has many security concerns, but would it be =
good a signalling protocol between ISPs to inform the sources of a DDoS =
attack in order to take semiautomatic actions to rate-limit the traffic =
as close as the source? Of course that this is more complex that these =
three or two lines, but I wonder if this has been considerer in the =
past.
>=20
> It already exists.
If you have an URL would be good. I only found a few research =
papers on the topic and RSVP documents but nothing really concrete.
Regards,
-as=
