[149469] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Keegan Holley)
Sun Feb 5 22:31:56 2012
In-Reply-To: <4F2F4423.8040803@gmail.com>
From: Keegan Holley <keegan.holley@sungard.com>
Date: Sun, 5 Feb 2012 22:30:20 -0500
To: Steve Bertrand <steve.bertrand@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2012/2/5 Steve Bertrand <steve.bertrand@gmail.com>
> On 2012.02.05 20:37, Keegan Holley wrote:
>
>> 2012/2/5 Dobbins, Roland<rdobbins@arbor.net>
>>
>
> S/RTBH - as opposed to D/RTBH - doesn't kill the patient. Again, suggest
>>> you read the preso.
>>>
>>>
>> Source RTBH often falls victim to rapidly changing or spoofed source IP"s.
>> It also isn't as widely supported as it should be. I never said DDOS was
>> hopeless, there just aren't a wealth of defenses against it.
>>
>
> This is so very easily automated. Even if you don't actually want to
> trigger the routes automatically, finding the sources you want to blackhole
> is as simple as a monitor port, tcpdump and some basic Perl.
>
This is still vulnerable to spoofing which could cause you to filter
legitimate traffic and make the problem worse. Not saying that S/RTBH is a
bad idea. RTBH is effective and a great idea just not very elegant.
>
> ...and as far as this not having been deployed in many ISPs (per your next
> message)... their mitigation strategies should be asked up front, and if
> they don't have any (or don't know what you speak of), find a new ISP.
>
You sometimes have to weigh the pro's and cons. You can't always pick the
guys with the coolest knobs.
