[167574] in North American Network Operators' Group
Re: ddos attacks
daemon@ATHENA.MIT.EDU (Edward Lewis)
Thu Dec 19 11:18:17 2013
From: Edward Lewis <ed.lewis@neustar.biz>
In-Reply-To: <CAD6AjGSbQZchc5mNi8gawrhd15YVFJVu87ABM_FpM-RN9iA4aw@mail.gmail.com>
Date: Thu, 19 Dec 2013 11:18:03 -0500
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 18, 2013, at 18:12, cb.list6 wrote:
> I am strongly considering having my upstreams to simply rate limit =
ipv4
> UDP. It is the simplest solution that is proactive.
Recently it's been said that when a protocol is "query/response" (like =
DNS), willingly suppressing responses might be as harmful as passing all =
the traffic.
This comes from a presentation at October's DNS-OARC workshop:
=
https://indico.dns-oarc.net//getFile.py/access?contribId=3D4&resId=3D0&mat=
erialId=3Dslides&confId=3D1
This is a "what is possible in theory" presentation, said to help you =
set your expectation whether this is a true threat or not.
The underlying message is that while a querier is waiting for a =
response, there is a window of vulnerability in which a forged response =
might be accepted. If the responder elects not to respond, they =
increase the (time) duration of that window.
While "smart" rate limiting exhibits benefits I suspect "simple" rate =
limiting might have some undesirable consequences.
=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Edward Lewis =20
NeuStar You can leave a voice message at =
+1-571-434-5468
Why is it that people who fear government monitoring of social media are
surprised to learn that I avoid contributing to social media?
