[189037] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Martin Bacher)
Mon May 2 09:52:35 2016
X-Original-To: nanog@nanog.org
From: Martin Bacher <ti14m028@technikum-wien.at>
In-Reply-To: <85604b28716869b3fb41f233482f9b36.squirrel@mail.scarynet.org>
Date: Mon, 2 May 2016 15:48:37 +0200
To: outsider@scarynet.org
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> Am 02.05.2016 um 15:03 schrieb Alexander Maassen =
<outsider@scarynet.org>:
>=20
> On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:
>> We use it effectively in a layered model where "Principle of Minimal
>> Intervention" applies, allowing attack mitigation and traffic =
diversion
>> in the most optimal place (e.g., at network ingress), and only =
scrubbing
>> or diverting traffic when necessary.
>=20
> Sorry to say, but the most optimal place for ddos mitigation is at =
network
> egress of origin. What comes in mind regarding that is the ability for
> target ASN telling source ASN to stop sending packets from a specific
> (let's say /29) in the case of a DDoS (with appropiate security =
measures
> in place off course).
>=20
> Because, let's face it, why would a target of a ddos need to nullroute
> itself?
Well, I think ingress filtering at the Internet edge (see BCP38 and =
BCP84) would be the best approach. But we as Internet community are =
clearly failing in that area. And origin ASes of amplification and =
reflection attacks are most probably not able to detect DNS ANY queries =
or NTP monlist queries at a low rate without DPI. The networks used for =
reflection and amplification may be able to detect an ongoing attack and =
they will then hopefully fix their implementations and not deploy egress =
filters.
So the question is how to get rid of source IP address spoofing at all? =
I don=E2=80=99t see any chance by now to push ASes, which are not =
filtering properly, to implement ingress filtering. What could help is =
to add session handling to UDP based protocols as proposed by Christian =
Rossow and implemented by Google in Quic. But that=E2=80=99s again just =
a workaround and may create new problems because of backwards =
compatibility issues.=20
So filtering as precise as possible and as close as possible to the =
attack source is maybe the best option we have at the moment.
>=20
>=20
