[167595] in North American Network Operators' Group
Re: ddos attacks
daemon@ATHENA.MIT.EDU (Saku Ytti)
Fri Dec 20 03:27:45 2013
Date: Fri, 20 Dec 2013 10:27:21 +0200
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <E50EA4AB-500F-439C-A512-7DA24415D39D@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On (2013-12-20 03:24 +0000), Dobbins, Roland wrote:
> > I think ipv4 udp is just going to become operationally deprecated. Too much pollution. It is really an epic amount of trash / value ratio in ipv4 udp.
>
> This isn't a realistic viewpoint.
What are realistic options?
a) QUIC and MinimaLT
- 0 RTT overhead, like UDP
- no reflection attacks, like TCP
- all traffic encrypted
- parity packets to match packet loss to avoid need for resends (QUIC)
- non-bursty via packet pacing
- solution for buffer bloat (packet pacing can be affected by changing
latency) (QUIC)
- CPU hit, encryption isn't free, but shouldn't be issue today
- mobility, IP is not needed to recognize end-point, you can hop from
WLAN to 4G without disconnecting
b) ACL between transit provider and transit customer
- <50k ports to configure in whole world to make UDP reflection useless
DoS vector
c) ACL/RPF in significant portion of access ports in whole world
- i'm guessing significant portion of access ports are on autopilot with
no one to change their configs, so probably not practical.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
--
++ytti
