[47343] in North American Network Operators' Group
RE: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (LeBlanc, Jason)
Thu May 2 13:24:35 2002
Message-ID: <30AEDFDE01F54A4582E1F69E78860D759F6FFD@sjc-exm-18.corp.ebay.com>
From: "LeBlanc, Jason" <Jml@ebay.com>
To: 'Iljitsch van Beijnum' <iljitsch@muada.com>,
"LeBlanc, Jason" <Jml@ebay.com>
Cc: nanog@merit.edu
Date: Thu, 2 May 2002 10:20:05 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
It (rpf) can't stop a DoS, but it does cut down on some of the spoofed
packets, any reduction in the number of packets hitting whatever has to
filter or deal with the attack packets helps. I don't have the stats in
front of me, but our findings were than urpf would cut enough out to be
worthwhile.
-----Original Message-----
From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
Sent: Thursday, May 02, 2002 9:58 AM
To: LeBlanc, Jason
Cc: nanog@merit.edu
Subject: RE: Effective ways to deal with DDoS attacks?
If you just filter out anything that's not in the routing table, that's
about half the address space and it only works if the spoofers are stupid.
When you're looking at pure bandwidth that's still helpful, but it doesn't
really solve anything.
However, You can use unicast RPF as a very efficient source address
filter, by routing addresses to the null interface. This way you can get
rid of huge amounts of unwanted sources in a very clean way.
As long as we're asking for features: what I would like is a unicast RPF
check that allows everything that isn't routed to the null interface. And
of course unicast RPF period for all vendors who aren't Cisco.
