[149505] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Mon Feb 6 23:13:28 2012
In-Reply-To: <Pine.LNX.4.64.1202070126150.14602@a84-22-97-10.cb3rob.net>
Date: Mon, 6 Feb 2012 23:12:26 -0500
From: Jeff Wheeler <jsw@inconcepts.biz>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Feb 6, 2012 at 8:43 PM, Sven Olaf Kamphuis <sven@cb3rob.net> wrote:
> there is a fix for it, it's called "putting a fuckton of ram in -most-
> routers on the internet" and keeping statistics for each destination
> ip:destination port:outgoing interface so that none of them individually =
can
> (entirely/procentually compared to other traffic) flood the outgoing
> interface on that router... end result, if enough routers are structured
> like that, is that ddos attacks will be come completely useless.
There are two obvious problems with your approach.
First, adding the policers you suggest, at the scale needed, is a
little harder than you imagine. It's not a simple matter of the cost
of RAM but also power/heat density per port.
Second, if you re-engineer every router on the Internet to prevent an
interface from being congested by malicious flow(s) destined for one
particular destination IP:port, then DDoS attacks will simply target
multiple ports or multiple destination IP addresses that are likely to
traverse a link they are able to congest.
If you want to dramatically increase the cost of routers in order to
solve the problem of DDoS with one deft (and expensive) move, you have
to imagine that the people behind DDoS attacks aren't complete idiots,
and will actually spend some time thinking about how to defeat your
system.
--=20
Jeff S Wheeler <jsw@inconcepts.biz>
Sr Network Operator=A0 /=A0 Innovative Network Concepts
