[47339] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Thu May 2 13:09:50 2002
Date: Thu, 2 May 2002 19:08:35 +0200 (CEST)
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: Pete Kruckenberg <pete@kruckenberg.com>, <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0205021648390.11583-100000@rampart.argfrp.us.uu.net>
Message-ID: <20020502190220.F37031-100000@sequoia.muada.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 2 May 2002, Christopher L. Morrow wrote:
> Congrats on re-inventing the wheel :( This is what
> mazuu/arbor/wanwall(riverhead now?) all do... this is also the way
> CenterTrack(tm robert stone) was kind of supposed to work.
Thanks for the kind works.
Just to be clear: I'm not working on a _product_, just on a paper
explaining how to do this using standard components and protocols.
> As near as I can tell this doesn't scale too well in a large network.
If you have a router that can forward 10 Gbps into the right direction,
you can also have a router forward 10 Gbps in the wrong direction. That's
pretty much all it takes.
> This is a shame, but its a reality. Additionally 20k sources max? that's not
> nearly enough, how many addresses are in 0/0 ? you should atleast plan for
> this contingency...
The idea is to use unicast RPF. So you're only limited by the number of
routes a Cisco can hold. 20k per customer under attack should be doable
without too much effort, more should be possible, but filtering 0/0
defeats the purpose. Also, it can be done using a single line, so no
problem there.
