UDP port 80 DDoS attack
Mark Andrews
marka at isc.org
Wed Feb 8 22:14:22 UTC 2012
In message <596B74B410EE6B4CA8A30C3AF1A155EA09CBE561 at RWC-MBX1.corp.seven.com>, G
eorge Bonser writes:
>
>
> > -----Original Message-----
> > From: christopher.morrow
> >=20
> > to be fair: "Some Providers do not check registries for 'right to use'
> > information about prefixes their customers wish to announce to them
> > over BGP."
>
> Maybe not but I would think that in practice it would be something like:
>
> 1. Provider initially filters traffic based on the address range they have =
> issued to the customer.
> 2. If the customer brings their own IP addresses, the provider does a quick=
> check to see if those have been SWIPed to the customer
> 3. If the customer wants the filtration opened up to include additional IPs=
> , the do the same as #2
> 4. If the customer has no record of having control of those IPs, a quick ca=
> ll to the listed assignee of those numbers would verify that the customer i=
> s mutual and is properly sourcing traffic in that IP range and filters are =
> adjusted accordingly.=20
>
> In about 99% of cases that would be the end of the story and everything run=
> s merrily along after that. Sure, there are going to be corner cases but i=
> f someone starts playing whack-a-mole with IP address assignments and is as=
> king for frequent changes, that might be a tip-off that they might be troub=
> le.
>
> It *does* involve maintaining some record of the configuration settings som=
> eplace in case of equipment changes/failures, etc. but that would be a smal=
> l price to pay for reducing the amount of time spent chasing DoS complaints=
> . It has to be a community effort with a set of best practices developed a=
> nd applied by the community. =20
And with cryptographically signed assignments this can be completely
automated. Tie the DHCPv6 server into the RPKI system and DHCPv6
PD can do the right stuff so that the other ISP serving the customer
can know that these address are legal from the customer.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list