[167576] in North American Network Operators' Group
Re: ddos attacks
daemon@ATHENA.MIT.EDU (cb.list6)
Thu Dec 19 11:37:11 2013
In-Reply-To: <E2A08F47-E97C-480B-8245-D83354F32876@neustar.biz>
Date: Thu, 19 Dec 2013 08:33:21 -0800
From: "cb.list6" <cb.list6@gmail.com>
To: Edward Lewis <ed.lewis@neustar.biz>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Dec 19, 2013 at 8:18 AM, Edward Lewis <ed.lewis@neustar.biz> wrote:
> On Dec 18, 2013, at 18:12, cb.list6 wrote:
>
> > I am strongly considering having my upstreams to simply rate limit ipv4
> > UDP. It is the simplest solution that is proactive.
>
>
> Recently it's been said that when a protocol is "query/response" (like
> DNS), willingly suppressing responses might be as harmful as passing all
> the traffic.
>
> This comes from a presentation at October's DNS-OARC workshop:
>
> https://indico.dns-oarc.net//getFile.py/access?contribId=4&resId=0&materialId=slides&confId=1
>
> This is a "what is possible in theory" presentation, said to help you set
> your expectation whether this is a true threat or not.
>
> The underlying message is that while a querier is waiting for a response,
> there is a window of vulnerability in which a forged response might be
> accepted. If the responder elects not to respond, they increase the (time)
> duration of that window.
>
> While "smart" rate limiting exhibits benefits I suspect "simple" rate
> limiting might have some undesirable consequences.
>
>
I completely agree. This why i have not yet implemented IPv4 UDP
rate-limiting yet, but it seems inevitable for 2014 if these attacks go on.
The profile i have in mind is when UDP exceeds 5x the baseline, then
tail-drop.
Keep in mind, when UDP exceeds 5x the baseline, the chances are are 99%
that the UDP is consuming the entire ISP pipe and everything is
rate-limited due to the pipe being saturated. So, this is not a simple
either / or. This is degrade UDP proactively or suffer all traffic
degrading because there is a huge DDoS coming in (which is the current
situation).
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar You can leave a voice message at
> +1-571-434-5468
>
> Why is it that people who fear government monitoring of social media are
> surprised to learn that I avoid contributing to social media?
>
>
