Improving Robustness of Distributed Services (Re: DDoS attacks)

Chris Roberts croberts at bongle.co.uk
Thu Jul 12 11:22:04 UTC 2001


On Thu, Jul 12, 2001 at 12:13:17PM +0300, Aleksi Suhonen wrote:
> 
> 
> Hello,
> 
> I've been involved in running part of another IRC network and
> I've been trying to find reasonable ways to immunize networks
> to DoS attacks. The reasoning behind this quest is that if
> there is no way to deny the service, then the attacker shouldn't
> have a reason to even try.
> 
> I think this is relevant content for this mailing list because:
> 
> * Most of DoS attacks are against IRC networks. Hence, if we can
>   get rid of those, the health of the Internet as a whole should
>   improve.
> * Experience gathered with this approach should be useful to
>   developers and administrators of other distributed services
>   and protocols.
>   (e.g. usenet news, web cache heirarchies, DNS, BGP, ... YMMV)
> 
> 
> 
[...]

I've seen a few suggestions bounced around about way to protect the
inter server links.

Most of the suggestions brought forward revolve around hiding the server
to server links, to make them difficult targets to attack - running
server-to-server links over IPv6 (which is allegedly now as easy to DoS
as IPv4, unfortunately), running them over IPSec w/ private IP addresses
et al. Unfortunately, finding private peering and such for IRC servers
would be a very costly way to go - and not one that's attractive to many
of the educationals/ISPs/private parties that run for the most part,
non-revenue generating IRC services. 

There are a few other ways to protect your client servers semi-simply -
move them into a seperate block - which you can easily stop announcing
globally - or even just announce to only those peers with whom you peer
IRC, or those peers whose customers you allow to use your IRC server.
The latter of these would work well for large IRC networks with many
servers, as it controls exactly which servers people can use. 

Unfortunately though, I've still not found an elegant solution to
these problems that doesn't also remove the service, or still rely
on shipping the traffic across your borders.

To a certain extent, contacting your transits works to get attacks
stopped. I've certainly had good experiences with at least Cable
and Wireless, Teleglobe, and Genuity. But even then, the time from
attack starting to getting traffic filtered can be in the region of 30
minutes to an hour, and this only stops the traffic coming through your
transits. Peers are another matter entirely, and since even one or two
IXPs can result in the order of 400-500 peers, there's generally no
possible way to call all of them in a short timeframe.

Question for the list:
Does anyone have good or bad experiences with mailing lists containing
all of your transits, and peers NOC addresses, and using these kinds
of lists to contact / request filtering on mass? How do people
on the relevant NOC lists feel about this kind of situation?

Cheers,
Chris.




More information about the NANOG mailing list