Over a decade of DDOS--any progress yet?
Thomas Mangin
thomas.mangin at exa-networks.co.uk
Wed Dec 8 15:04:28 UTC 2010
On 6 Dec 2010, at 15:34, David Ulevitch wrote:
> On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick at ianai.net> wrote:
>> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
>>
>>> Besides having *alot* of bandwidth theres not really much you can do to
>>> mitigate. Once you have the bandwidth you can filter (w/good hardware).
>>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
>>
>> There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong.
>
> I think this is only true if you run your BGP session on a different
> path (or have your provider pin down a static route). If you are
> using BGP and run it on the same path, the 100Gbps will cause massive
> packet loss and likely cause your BGP session to drop which will just
> move the attack to another site, rinse / repeat. I don't think very
> many people run BGP over a separate circuit, but for some folks, it
> might be appropriate.
Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the BGP path.
So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link.
Thomas
More information about the NANOG
mailing list