Effective ways to deal with DDoS attacks?
Iljitsch van Beijnum
iljitsch at muada.com
Thu May 2 17:08:35 UTC 2002
On Thu, 2 May 2002, Christopher L. Morrow wrote:
> Congrats on re-inventing the wheel :( This is what
> mazuu/arbor/wanwall(riverhead now?) all do... this is also the way
> CenterTrack(tm robert stone) was kind of supposed to work.
Thanks for the kind works.
Just to be clear: I'm not working on a _product_, just on a paper
explaining how to do this using standard components and protocols.
> As near as I can tell this doesn't scale too well in a large network.
If you have a router that can forward 10 Gbps into the right direction,
you can also have a router forward 10 Gbps in the wrong direction. That's
pretty much all it takes.
> This is a shame, but its a reality. Additionally 20k sources max? that's not
> nearly enough, how many addresses are in 0/0 ? you should atleast plan for
> this contingency...
The idea is to use unicast RPF. So you're only limited by the number of
routes a Cisco can hold. 20k per customer under attack should be doable
without too much effort, more should be possible, but filtering 0/0
defeats the purpose. Also, it can be done using a single line, so no
problem there.
More information about the NANOG
mailing list