[175941] in North American Network Operators' Group
RE: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Frank Bulk)
Sat Nov 8 21:42:53 2014
X-Original-To: nanog@nanog.org
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Roland Dobbins'" <rdobbins@arbor.net>,
"NANOG" <nanog@nanog.org>
In-Reply-To: <A035443B-2B27-4310-BC1A-6D48AE50414F@arbor.net>
Date: Sat, 8 Nov 2014 20:42:38 -0600
Errors-To: nanog-bounces@nanog.org
There's no doubt, rate-limiting is a poor-man's way of getting the job done,
but for small operators who aren't as well instrumented (whether that due to
staff or resources), a simple rule such as:
access-list 100 ip host 0.0.0.0 0.0.0.0 rate-limit 200000
access-list 100 ip host 0.0.0.0 0.0.0.255 rate-limit 5000000
int vlan 10
description Internet uplink
ip access-group 100 in
!
would be great.
Yes, the /32 under attack would essentially be out of service, but at least
the downstream network doesn't get congested and more customers affected.
Frank
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins
Sent: Saturday, November 08, 2014 8:28 PM
To: NANOG
Subject: Re: DDOS, IDS, RTBH, and Rate limiting
On 9 Nov 2014, at 8:59, Frank Bulk wrote:
> I've written it before: if there was a software feature in routers
> where I
> could specify the maximum rate any prefix size (up to /32) could
> receive,
> that would be very helpful.
QoS generally isn't a suitable mechanism for DDoS mitigation, as the
programmatically-generated attack traffic ends up 'crowding out'
legitimate traffic.
S/RTBH, flowspec, and other methods tend to produce better results.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
