[38388] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: engineering --> ddos and flooding

daemon@ATHENA.MIT.EDU (Mark Mentovai)
Mon Jun 4 14:40:33 2001

Date: Mon, 4 Jun 2001 14:34:00 -0400 (EDT)
From: Mark Mentovai <mark-list@mentovai.com>
To: Paul Johnson <pjohnson@bosconet.org>
Cc: <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0106041219030.16273-100000@erskine.bosconet.org>
Message-ID: <Pine.GSO.4.33.0106041422001.19604-100000@oak.ggn.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu


Paul Johnson wrote:
>To that end no NSP should ever allow spoofed IP addresses outside of
>their network. (not just RFC 1918 addresses but valid IPs that don't
>belong to that NSP)

Agreed, RFC 2827 should be the norm.  Maybe some day it will be.

>> This is a stop gap measure for customer networks.  Those null routed
>> /32s are not meant to be permanently advertised, they are meant to
>> free the customer's pipe from smurf/fraggle until the SP can do
>> something about it.  What would be the point of permanently
>> blackholing a host on your network?
>
>One more problem...what if your mail/web server is the target of the
>attack you have just taken that resource effectively off-line. No need
>to continue the DoS you've done the work of the attacker.

You've got to balance how badly the attack hurts against how badly this
method of stopping the attack hurts.  If someone launches a distributed
attack against my mail server, and it eats up all of the bandwidth I've
bought from my upstreams, then I've got zero connectivity.  You can be sure
I'd be in favor of taking my mail service offline to keep the rest of the
network running while I pursue the issue with the upstreams.  Ditto if
someone launches a massive attack against one of my customers and it has the
unfortunate side effect of destroying my connectivity (and that of all of my
other customers.)  A filter of this type is never a long-term solution, but
if it can get me even partially online, that's better than nothing.

Mark


home help back first fref pref prev next nref lref last post