[64830] in North American Network Operators' Group
Re: DDoS detection and mitigation systems
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Nov 3 12:52:16 2003
Date: Mon, 3 Nov 2003 17:51:22 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Alex Yuriev <alex@yuriev.com>
Cc: Mailing List Subscriptions <jcc-list@thenetexpert.net>,
nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0311030834550.9762-100000@s1.yuriev.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 3 Nov 2003, Alex Yuriev wrote:
>
> > Do you use/develop in-house tools to analyze Netflow on your peering routers
> > and have that interface in near-realtime with the said routers to null route
> > (BGP and RPF) the offending sources?
>
> Source or destination? Null routing source of DOS is not going to do you any
> good. Null routing destination, especially automatically null routing
unless you aren't concerned about pipe-usage and you runn uRPF on that
pipe...
> destination, creates a large possibility of shooting yourself in a foot.
>
yes, auto-actions for security, especially DoS-type things tend to shoot
feet often :( Think Victoria Secret Fashion Show, or Cisco IOS upgrade for
all platforms released under lots of press coverage (like the protocols
problem earlier this year)
-Chris
