[80633] in North American Network Operators' Group
Re: anycast and ddos
daemon@ATHENA.MIT.EDU (Fergie (Paul Ferguson))
Fri May 6 13:06:30 2005
From: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Date: Fri, 6 May 2005 17:03:53 GMT
To: randy@psg.com
Cc: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
As one of the co-authors of RFC-2827, I'm assuming you
meant me -- if so, no apology needed. :-)
I'm just sorry to have to see a "weakness" exploited which
could easily be "fixed"....
- ferg
ps. This also seems like a good time to mention (again)
"The Spoofer Project" at MIT:
http://momo.lcs.mit.edu/spoofer/
[and]
http://momo.lcs.mit.edu/spoofer/summary.php
-- Randy Bush <randy@psg.com> wrote:
it seems that anycasting was quite insufficient to protect
netsol's service from being severely damaged (udp dead, tcp
worked) for a considerable length of time by a ddos [0] last
week [1]. it would be very helpful to other folk concerned
with service deployment to understand how the service in
question was/is anycast, and what might be done differently
to mitigate exposure of similar services.
anyone have clues or is this ostrich city? maybe a preso at
nanog would be educational.
randy
---
[0] - as it seems that the ddos sources were ip address
spoofed (which is why the service still worked for
tcp), i owe paul an apology for downplaying the
immediacy of the need for source address filtering.
[1] - netsol is not admitting anything happened, of course
<sigh>. but we all saw the big splash as it hit the
water, the bubbles as it sank, and the symptoms made
the cause pretty clear.
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg@netzero.net or fergdawg@sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
