[149470] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Steve Bertrand)
Sun Feb 5 22:41:08 2012
Date: Sun, 05 Feb 2012 22:40:19 -0500
From: Steve Bertrand <steve.bertrand@gmail.com>
To: Keegan Holley <keegan.holley@sungard.com>
In-Reply-To: <CABO8Q6TcybzxOBzuab2dxqWecKOU37dGcDaJ1hqWfgF9dAZG2g@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2012.02.05 22:30, Keegan Holley wrote:
> 2012/2/5 Steve Bertrand <steve.bertrand@gmail.com
> On 2012.02.05 20 <tel:2012.02.05%2020>:37, Keegan Holley wrote:
> Source RTBH often falls victim to rapidly changing or spoofed
> source IP"s.
> It also isn't as widely supported as it should be. I never said
> DDOS was
> hopeless, there just aren't a wealth of defenses against it.
>
>
> This is so very easily automated. Even if you don't actually want to
> trigger the routes automatically, finding the sources you want to
> blackhole is as simple as a monitor port, tcpdump and some basic Perl.
>
>
> This is still vulnerable to spoofing which could cause you to filter
> legitimate traffic and make the problem worse. Not saying that S/RTBH
> is a bad idea. RTBH is effective and a great idea just not very elegant.
Agreed. Diligence does play a role. However, the times I have
implemented and used (s/)RTBH, I thought it was most elegant. I love its
simplicity and effectiveness.
> ...and as far as this not having been deployed in many ISPs (per
> your next message)... their mitigation strategies should be asked up
> front, and if they don't have any (or don't know what you speak of),
> find a new ISP.
>
>
> You sometimes have to weigh the pro's and cons. You can't always pick
> the guys with the coolest knobs.
Agreed. But to me, DDOS mitigation is not just a cool knob. If my ISP
can help mitigate a 1Gb onslaught so my 100Mb pipe isn't overwhelmed,
that's more functional than cool. Ranks right up there with IPv6 ;)
Steve
