[80635] in North American Network Operators' Group
Re: anycast and ddos
daemon@ATHENA.MIT.EDU (Kim Onnel)
Fri May 6 20:49:31 2005
Date: Sat, 7 May 2005 03:48:46 +0300
From: Kim Onnel <karim.adel@gmail.com>
Reply-To: Kim Onnel <karim.adel@gmail.com>
To: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Cc: randy@psg.com, nanog@nanog.org
In-Reply-To: <20050506.100452.28795.118567@webmail18.lax.untd.com>
Errors-To: owner-nanog@merit.edu
I've looked around most DDoS prevention methods outhere, i can safely
say that alot of them usually just repeat each other, for me it all
boils down to
1) CoPP and aggresive SPD to protect the routing/management when
infrastructure is attacked.
2) Getting Riverhead, which is a shame if they had it and it didnt save the=
day.
3) Netflow to detect the attacking sources/dst and using Filtering and
blackholing methods. (Arbor, open-source tools...)
So, if they had all that in place and still they were brought down,
then i would seriously like to look for new/different solutions
applied or perhaps someone on the list could give us his experience in
a case of a heavy ddos where it was easily mitigated with the above.
Regards
On 5/6/05, Fergie (Paul Ferguson) <fergdawg@netzero.net> wrote:
>=20
>=20
> As one of the co-authors of RFC-2827, I'm assuming you
> meant me -- if so, no apology needed. :-)
>=20
> I'm just sorry to have to see a "weakness" exploited which
> could easily be "fixed"....
>=20
> - ferg
>=20
> ps. This also seems like a good time to mention (again)
> "The Spoofer Project" at MIT:
>=20
> http://momo.lcs.mit.edu/spoofer/
>=20
> [and]
>=20
> http://momo.lcs.mit.edu/spoofer/summary.php
>=20
>=20
> -- Randy Bush <randy@psg.com> wrote:
>=20
> it seems that anycasting was quite insufficient to protect
> netsol's service from being severely damaged (udp dead, tcp
> worked) for a considerable length of time by a ddos [0] last
> week [1]. it would be very helpful to other folk concerned
> with service deployment to understand how the service in
> question was/is anycast, and what might be done differently
> to mitigate exposure of similar services.
>=20
> anyone have clues or is this ostrich city? maybe a preso at
> nanog would be educational.
>=20
> randy
>=20
> ---
>=20
> [0] - as it seems that the ddos sources were ip address
> spoofed (which is why the service still worked for
> tcp), i owe paul an apology for downplaying the
> immediacy of the need for source address filtering.
>=20
> [1] - netsol is not admitting anything happened, of course
> <sigh>. but we all saw the big splash as it hit the
> water, the bubbles as it sank, and the symptoms made
> the cause pretty clear.
>=20
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg@netzero.net or fergdawg@sbcglobal.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
