Improving Robustness of Distributed Services (Re: DDoS attacks)

• Previous message (by thread): Improving Robustness of Distributed Services (Re: DDoS attacks)
• Next message (by thread): Improving Robustness of Distributed Services (Re: DDoS attacks)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Thu, Jul 12, 2001 at 12:13:17PM +0300, I wrote:
> I've been involved in running part of another IRC network and
> I've been trying to find reasonable ways to immunize networks
> to DoS attacks.
[...]

Quote from Chris Roberts:
} I've seen a few suggestions bounced around about way to protect the
} inter server links.

[...]

} There are a few other ways to protect your client servers semi-simply -
} move them into a seperate block - which you can easily stop announcing
} globally - or even just announce to only those peers with whom you peer
} IRC, or those peers whose customers you allow to use your IRC server.
} The latter of these would work well for large IRC networks with many
} servers, as it controls exactly which servers people can use. 

While I find the idea of having the IRC server sit in a prefix of its
own with limited visibility very lucrative, it would seem to be very
hard to actually acquire an unaggregated prefix for this purpose.

Would there happen to be someone on the list with an unused B-class
(for example,) that would be willing to give out sub-C's (for example)
for such a purpose? ;-)

} Unfortunately though, I've still not found an elegant solution to
} these problems that doesn't also remove the service, or still rely
} on shipping the traffic across your borders.

Well ... I of course feel the solution I presented would be elegant
wrt that, but I won't deny that provisioning the (virtual or real)
circuits required is very hard, especially if on a zero budjet.

} Question for the list:
} Does anyone have good or bad experiences with mailing lists containing
} all of your transits, and peers NOC addresses, and using these kinds
} of lists to contact / request filtering on mass? How do people
} on the relevant NOC lists feel about this kind of situation?

I haven't done exactly that, but from my experience I would imagine
that using something like that may get your filter installed faster,
but removed slower if at all. It will probably have very little
impact on the number of peers that are willing to install a filter
just for you.

Also: asking for a null host route will more often result in getting the
desired effect than asking for a filter, for various technical reasons.

Kindest regards,

--
Person:       Aleksi Suhonen
nic-hdl:      AXU-RIPE

• Previous message (by thread): Improving Robustness of Distributed Services (Re: DDoS attacks)
• Next message (by thread): Improving Robustness of Distributed Services (Re: DDoS attacks)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]