ddos attacks
cb.list6
cb.list6 at gmail.com
Thu Dec 19 21:39:25 UTC 2013
On Dec 19, 2013 4:25 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>
>
> On Dec 19, 2013, at 6:12 AM, cb.list6 <cb.list6 at gmail.com> wrote:
>
> > I am strongly considering having my upstreams to simply rate limit ipv4
UDP.
>
> QoS is a very poor mechanism for remediating DDoS attacks. It ensures
that programmatically-generated attack traffic will 'squeeze out'
legitimate traffic.
>
I agree. But ... i am pretty sure i am going to do it. Trade offs.
> > During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen,
whatever).
>
> Have you checked to see whether you and/or your customers have open DNS
recursors, misconfigured CPE devices, etc. which can be used as
reflectors/amplifiers on your respective networks?
>
> Have you implemented NetFlow and S/RTBH? Considered building a
mitigation center?
>
> <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
>
> Do you work with your peers/upstreams/downstreams to mitigate DDoS
attacks when they ingress your network?
>
Not answering any of that. But thanks for asking.
> There are lots of things one can do to increase one's ability to detect,
classify, traceback, and mitigate DDoS attacks, yet which aren't
CAPEX-intensive.
>
I think ipv4 udp is just going to become operationally deprecated. Too
much pollution. It is really an epic amount of trash / value ratio in ipv4
udp.
I recommend folks enable their auth dns servers for ipv6 ... and dont run
open resolvers
CB
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
More information about the NANOG
mailing list