[149563] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Keegan Holley)
Wed Feb 8 10:19:30 2012
In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09CBC06E@RWC-MBX1.corp.seven.com>
From: Keegan Holley <keegan.holley@sungard.com>
Date: Wed, 8 Feb 2012 10:18:29 -0500
To: George Bonser <gbonser@seven.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 8, 2012, at 4:51 AM, George Bonser <gbonser@seven.com> wrote:
>=20
>=20
>> From: Keegan Holley=20
>> Subject: Re: UDP port 80 DDoS attack
>=20
>> It works in theory, but to get every ISP and hosting provider to ACL thei=
r edges and maintain those ACL's for every customer no matter how large migh=
t be a bit difficult. =20
>=20
> You don't have to ACL in most cases. RPF works for most. There will be a f=
ew, relatively darned few, that you will need to ACL, but RPF takes care of a=
large number of them.
>=20
RPF on the whole Internet would pretty much lead to an instant outage. What=
happens when you have two upstreams and one has an incoming route to you bu=
t your out going route for which ever of their customers talking to you does=
n't agree? Instant outage. Multiply that by the entire table and then add c=
hurn. I'd give it a week before everyone turned it off, if you could even g=
et them to enable it to begin with.
=20
>=20
>> Also, what about non-BGP customers or customers that just accept a defaul=
t route? =20
>=20
> I don't follow. The ISP still knows what traffic gets routed TO them. Yo=
u only accept FROM them what you route TO them, even if you hand them a defa=
ult route.
>=20
>=20
>> Or even customers that just want return traffic to come in a different li=
nk for some reason.
>=20
> Still don't follow. I am not talking about having a firewall that is stat=
eful. I am talking packet by packet. If you don't route it to them, you do=
n't accept it from them unless you have made arrangements otherwise, which w=
ill be a small percentage of your customers. Sure, some might be multihomed b=
ut it is easy enough to verify that they have the networks in question SWIPe=
d to them or a call to the other provider can clear that up in a few minutes=
. It isn't THAT hard.
>=20
>=20
>> ISP's would suddenly become giant traffic registries.
>=20
>=20
> No, we have registries to act as registries, the ISPs should be checking t=
hem, and double checking. It isn't something that is going to change every d=
ay or every week. Once you get it set up, it is going to be stable for a whi=
le. Sure, it means a little more work in setting up a customer, but it also=
means that if all your neighbors do the same thing, you field many fewer ca=
lls dealing with stupid DoS crap.
>=20
>=20
