Inter-provider communications (Re: nobody @home)

Vijay Gill vijay at umbc.edu
Mon Jan 22 06:41:23 UTC 2001


On Sun, 21 Jan 2001, Dan Hollis wrote:

> By the time law enforcement has to be involved to convince a tier1 to
> shut off their ddos sources, it's far past the point of complicity and the
> preventable monetary damages have already occurred. You can bet someones
> going to get sued.

>From what I can manage to make out of the thread, the impression I get is
that people seem to believe that the Tier 1 (what constitutes a tier 1
anyway in todays world?) just needs to throw a switch and turn off a Ddos
attack, but that they are too lazy to flip it.

Reality being a bit different, so lets check into what we have here.

Reality has it that there are:

several tens of thousands of customers, 100k+ interfaces for customers,
all terminated on broken hardware that cannot line rate filter on all
interfaces, 200k ibgp entries, entry point from several thousand peering
interfaces, mostly at OC12 rates or higher, thousands of routers, a
chronic shortage of staff because anyone who is any good at a customer
facing role and dos/abuse are customer facing roles, tends to burn out and
fade away very fast, normally up the engineering hierarchy, leaving the
job to fresh new people, armed with inadequate experience and lacking
tools to do the job.

A DDoS attack by definition is a hard one to trace, no matter what people
(vendors) would have you believe. Putting an acl to do a traceback? What
do we put in the acl, some DDoS attacks involving 500+ machines, each
being carefully rate limited to send a few packets, perhaps with different
information in each? Maybe putting an acl on will crash the router, and
the router cannot be code upgraded because a new and interesting
interaction with the new train tickles some other bugs, causing hard
crashes at random.

The govt. agencies are involved often, but the fundamental problems of
very large networks coupled with inadequate protocols and broken
implementations make traceback of DDoS attacks _very hard_.

This is not to say that some backbones aren't lazy about doing the job, I
suspect that is mostly because the people doing the tracebacks have
realized that it is almost impossible to do adequately with any chance of
success and tend to ignore it. This is not a good thing, but this is what
appears to be happening. On the other hand, people are beating on vendors
to treat this problem seriously and give operators proper debugging
abilities and better hardware. Also please realize that just turning off
someone's circuit because some j. random person called up and claimed it
was sourcing a DDoS attack is often prohibited by policy at various
networks, and an exception must be made by senior mgmt in the chain.  If
every noc just started to turn off interfaces because of a phone call, the
results are easy to imagine.

/vijay





More information about the NANOG mailing list