engineering --> ddos and flooding
Hank Nussbacher
hank at att.net.il
Tue Jun 5 06:18:50 UTC 2001
At 14:08 04/06/01 -0400, Matt Zito wrote:
> > Sorry but IMESHO null routing a /32 during a DoS attacck
> > doesn't exactly
> > strike me as engineering. It is more like dealing with the attack in
> > real-time. To mean engineering would mean desinging networks
> > to be resistant to DDoS and flooding in the first plsce.
> >
> > To that end no NSP should ever allow spoofed IP addresses outside of
> > their network. (not just RFC 1918 addresses but valid IPs that don't
> > belong to that NSP)
> >
> > e.e if I'm have a circut from C&W nd I try to spoof a packet
> > eith a source address of 216.35.172.135 it should be dropped as
> > close to the edge of C&W's network as possible.
> >
> > note on RFC 1918 addresses: These should never get past customer
> > edge routers IMESHO.
> >
> > Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> > networks in such a way that it can never DoS a T-1 (or E-1 if you are
> > not in the US). [note: I'm not sure if ciso's are up for this workload
> > since I primarily work with Juniper.]
> >
>
>Rate-limiting ICMP is not so difficult - rate-limiting SYNs is basically
>useless. Syn floods work not because the amount of traffic they do, but
>because they fill up state tables or make them so horribly inefficient as to
>make the box cease responding on that port. Given that, say, a linux box
>has a default queue depth of 128, I can send 128 spoofed SYNs at a rate of
>one a second, and in two minutes that box will stop responding. The larger
>you make the queue, the longer it will stand up to a slow SYN attack, but
>the more costly each incoming SYN and SYN+ACK becomes, as the data
>structures become more and more unwieldy.
If you have a good handle on how much SYN traffic you *normally* get, then
placing a rate limit like:
rate-limit input access-group 190 64000 1200 1200 conform-action continue
exceed-action drop
! Place your /16 here:
access-l 190 permit tcp any 192.168.0.0 0.0.255.255 syn
will save your network from meltdown. Of course, good SYN pkts will get
dropped with bad SYN pkts, but until something better comes along, we use
what we can.
-Hank
>Thanks,
>Matt
>
>--
>Matthew J. Zito
>Systems Engineer
>Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
>Ph: 212-798-9205
>PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC D2 06 B2 B0 BF 55 68 99
>
>
>
More information about the NANOG
mailing list