[149555] in North American Network Operators' Group
RE: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (George Bonser)
Wed Feb 8 04:52:07 2012
From: George Bonser <gbonser@seven.com>
To: Keegan Holley <keegan.holley@sungard.com>
Date: Wed, 8 Feb 2012 09:51:15 +0000
In-Reply-To: <CABO8Q6RfMn0Np-RYFQ7YBP94bftwu0kHTtiO5ufxRdyGBsKe=w@mail.gmail.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>From: Keegan Holley=20
> Subject: Re: UDP port 80 DDoS attack
> It works in theory, but to get every ISP and hosting provider to ACL thei=
r edges and maintain those ACL's for every customer no matter how large mig=
ht be a bit difficult.=A0=20
You don't have to ACL in most cases. RPF works for most. There will be a f=
ew, relatively darned few, that you will need to ACL, but RPF takes care of=
a large number of them.
Besides, I never meant to imply that this business was easy and not "diffic=
ult".
> Also, what about non-BGP customers or customers that just accept a defaul=
t route? =20
I don't follow. The ISP still knows what traffic gets routed TO them. You=
only accept FROM them what you route TO them, even if you hand them a defa=
ult route.
> Or even customers that just want return traffic to come in a different li=
nk for some reason.
Still don't follow. I am not talking about having a firewall that is state=
ful. I am talking packet by packet. If you don't route it to them, you do=
n't accept it from them unless you have made arrangements otherwise, which =
will be a small percentage of your customers. Sure, some might be multihome=
d but it is easy enough to verify that they have the networks in question S=
WIPed to them or a call to the other provider can clear that up in a few mi=
nutes. It isn't THAT hard.
> ISP's would suddenly become giant traffic registries.
No, we have registries to act as registries, the ISPs should be checking th=
em, and double checking. It isn't something that is going to change every =
day or every week. Once you get it set up, it is going to be stable for a w=
hile. Sure, it means a little more work in setting up a customer, but it a=
lso means that if all your neighbors do the same thing, you field many fewe=
r calls dealing with stupid DoS crap.
