[149551] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Feb 8 03:30:31 2012
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG Group <nanog@nanog.org>
Date: Wed, 8 Feb 2012 08:29:31 +0000
In-Reply-To: <CAEs2ZiK0V5yNU3ni6HGt6vbGpnbNquvxsq0uWrbpYO94EFYeDg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 8, 2012, at 2:56 PM, bas wrote:
> The big drawback with S/RTBH is that it is a DoS method in itself.
I'm not an advocate of *automated* S/RTBH, and I am an advocate of whitelis=
ting various well-known 'golden networks/IPs' via prefix-lists in order to =
avoid this issue in part; also, note that the concept of partial service re=
covery incorporates the notion of some legitimate traffic/users being block=
ed in order to maintain the availability of the targeted server/service/app=
lication for the majority of legitimate traffic/users.=20
Also note that S/RTBH isn't a universal panacea; it's just one tool in the =
toolbox. flowspec is more flexible due to its layer-4 granularity; and oth=
er types of tools such as IDMS are even more flexible and incorporate much =
richer classification technology.
It's important to understand that this isn't a theoretical discussion - I'v=
e personally utilized/helped others to utilize S/RTBH to successfully mitig=
ate large-scale DDoS attacks, and it's a lowest-common-denominator in terms=
of a somewhat dynamic mitigation mechanism. Let's not make the perfect th=
e enemy of the merely good.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
