[47802] in North American Network Operators' Group
RE: Arbor Networks DoS defense product
daemon@ATHENA.MIT.EDU (Cheung, Rick)
Wed May 15 09:59:29 2002
Message-ID: <5B2BB95CB505D5119D480002A5349195010567C1@mnmtkex3.nextelpartners.com>
From: "Cheung, Rick" <Rick.Cheung@NextelPartners.com>
To: nanog@merit.edu
Date: Wed, 15 May 2002 09:05:37 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C1FC19.96AE1EA0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1FC19.96AE1EA0
Content-Type: text/plain;
charset="iso-8859-1"
Is it common practice to place your own equipment at the ISP? My
thought is that if we are able to have our own routers at the ISP, we'd be
in a better position to mitigate the effects of a DDOS. As long as the
stream of traffic does not adversely affect our routers from performing
properly at the ISP, we can then mitigate the effects through access-lists,
QOS, etc. That is if the attack is not too distributed, where the source IPs
with the highest amount of syn traffic for example can be easily identified.
Rick Cheung
NPI IT Wan Team, CCNP
-----Original Message-----
From: Pete Kruckenberg [mailto:pete@kruckenberg.com]
Sent: Wednesday, May 15, 2002 2:15 AM
To: nanog@merit.edu
Subject: Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rubens Kuhl Jr. wrote:
> If and when
> (a) customers don't get exemption for attack traffic
> (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of
> the month per customer circuit
> (c) the DoS increases bytes transferred like large ICMP packet flood; this
> is not the case for all DoS traffic, which can be a bunch of small packets
> that actually decreases traffic
These might apply to noticeable DoS attacks that occur as
specific events. But how much (D)DoS traffic goes unnoticed
by the average customer because it's too tough to detect or
defend against? The 10% I've measured on my network is
primarily reflected DDoS (reflected off my customers, to
off-net targets), which is not trivial to detect or defend
against.
Pete.
------_=_NextPart_001_01C1FC19.96AE1EA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Arbor Networks DoS defense product</TITLE>
</HEAD>
<BODY>
<P> <FONT SIZE=3D2>Is it =
common practice to place your own equipment at the ISP? My thought is =
that if we are able to have our own routers at the ISP, we'd be in a =
better position to mitigate the effects of a DDOS. As long as the =
stream of traffic does not adversely affect our routers from performing =
properly at the ISP, we can then mitigate the effects through =
access-lists, QOS, etc. That is if the attack is not too distributed, =
where the source IPs with the highest amount of syn traffic for example =
can be easily identified. </FONT></P>
<BR>
<BR>
<P><FONT SIZE=3D2>Rick Cheung</FONT>
<BR><FONT SIZE=3D2>NPI IT Wan Team, CCNP</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Pete Kruckenberg [<A =
HREF=3D"mailto:pete@kruckenberg.com">mailto:pete@kruckenberg.com</A>]</F=
ONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, May 15, 2002 2:15 AM</FONT>
<BR><FONT SIZE=3D2>To: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Arbor Networks DoS defense =
product</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>On Wed, 15 May 2002, Rubens Kuhl Jr. wrote:</FONT>
</P>
<P><FONT SIZE=3D2>> If and when</FONT>
<BR><FONT SIZE=3D2>> (a) customers don't get exemption for attack =
traffic</FONT>
<BR><FONT SIZE=3D2>> (b) the DoS traffic occurs more than 5% (or 1 - =
your percentile level) of</FONT>
<BR><FONT SIZE=3D2>> the month per customer circuit</FONT>
<BR><FONT SIZE=3D2>> (c) the DoS increases bytes transferred like =
large ICMP packet flood; this</FONT>
<BR><FONT SIZE=3D2>> is not the case for all DoS traffic, which can =
be a bunch of small packets</FONT>
<BR><FONT SIZE=3D2>> that actually decreases traffic</FONT>
</P>
<P><FONT SIZE=3D2>These might apply to noticeable DoS attacks that =
occur as</FONT>
<BR><FONT SIZE=3D2>specific events. But how much (D)DoS traffic goes =
unnoticed</FONT>
<BR><FONT SIZE=3D2>by the average customer because it's too tough to =
detect or</FONT>
<BR><FONT SIZE=3D2>defend against? The 10% I've measured on my network =
is</FONT>
<BR><FONT SIZE=3D2>primarily reflected DDoS (reflected off my =
customers, to</FONT>
<BR><FONT SIZE=3D2>off-net targets), which is not trivial to detect or =
defend</FONT>
<BR><FONT SIZE=3D2>against.</FONT>
</P>
<P><FONT SIZE=3D2>Pete.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C1FC19.96AE1EA0--
