[38390] in North American Network Operators' Group
Re: engineering --> ddos and flooding
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jun 4 14:53:45 2001
Message-Id: <200106041853.f54Ir9o03797@foo-bar-baz.cc.vt.edu>
To: Paul Johnson <pjohnson@bosconet.org>
Cc: nanog@merit.edu
In-reply-to: Your message of "Mon, 04 Jun 2001 12:20:41 EDT."
<Pine.LNX.4.21.0106041219030.16273-100000@erskine.bosconet.org>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 04 Jun 2001 14:53:09 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 04 Jun 2001 12:20:41 EDT, Paul Johnson <pjohnson@bosconet.org> said:
> Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> networks in such a way that it can never DoS a T-1 (or E-1 if you are
> not in the US). [note: I'm not sure if ciso's are up for this workload
> since I primarily work with Juniper.]
Hmm.. I'd be *REALLY* unhappy if our upstream decided to rate-limit SYN
packets to prevent a DoS of a T-1, since the smallest pipe we have
deployed is in the OC-3 category.
The problem is that a *distributed* DOS effectively bypasses this sort
of check - you have (for instance) 1000 zombie machines, each contributing
only a few packets per second. So none of THEM gets filtered. Each ISP
may have only 3-4 zombies, so even aggregated they don't trigger a filter.
Nothing trips a filter, until it gets loose inside a Tier-1, with traffic
converging on one outbound pipe to the victim from 8 or 10 different
peering points. And at THAT point, it's too late.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
