Over a decade of DDOS--any progress yet?

• Previous message (by thread): Over a decade of DDOS--any progress yet?
• Next message (by thread): Over a decade of DDOS--any progress yet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6 Dec 2010, at 15:34, David Ulevitch wrote:

> On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick at ianai.net> wrote:
>> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
>> 
>>> Besides having *alot* of bandwidth theres not really much you can do to
>>> mitigate. Once you have the bandwidth you can filter (w/good hardware).
>>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
>> 
>> There is a variation on that theme.  Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes.  If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down.  The other 95% of your users will be fine.  This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong.
> 
> I think this is only true if you run your BGP session on a different
> path (or have your provider pin down a static route).  If you are
> using BGP and run it on the same path, the 100Gbps will cause massive
> packet loss and likely cause your BGP session to drop which will just
> move the attack to another site, rinse / repeat.  I don't think very
> many people run BGP over a separate circuit, but for some folks, it
> might be appropriate.

Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the BGP path.
So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link.

Thomas

• Previous message (by thread): Over a decade of DDOS--any progress yet?
• Next message (by thread): Over a decade of DDOS--any progress yet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]