ddos attacks
Saku Ytti
saku at ytti.fi
Fri Dec 20 08:27:21 UTC 2013
On (2013-12-20 03:24 +0000), Dobbins, Roland wrote:
> > I think ipv4 udp is just going to become operationally deprecated. Too much pollution. It is really an epic amount of trash / value ratio in ipv4 udp.
>
> This isn't a realistic viewpoint.
What are realistic options?
a) QUIC and MinimaLT
- 0 RTT overhead, like UDP
- no reflection attacks, like TCP
- all traffic encrypted
- parity packets to match packet loss to avoid need for resends (QUIC)
- non-bursty via packet pacing
- solution for buffer bloat (packet pacing can be affected by changing
latency) (QUIC)
- CPU hit, encryption isn't free, but shouldn't be issue today
- mobility, IP is not needed to recognize end-point, you can hop from
WLAN to 4G without disconnecting
b) ACL between transit provider and transit customer
- <50k ports to configure in whole world to make UDP reflection useless
DoS vector
c) ACL/RPF in significant portion of access ports in whole world
- i'm guessing significant portion of access ports are on autopilot with
no one to change their configs, so probably not practical.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
--
++ytti
More information about the NANOG
mailing list