ICANN Targets DDoS Attacks

Alex Bligh alex at alex.org.uk
Fri Nov 1 17:45:03 UTC 2002



--On 29 October 2002 21:11 +0000 "Stephen J. Wilcox" 
<steve at telecomplete.co.uk> wrote:

> As they say, if you dont set the rate limit too low then you wont
> encounter drops under normal operation.

It would be useful if [vendor-du-jour] implemented rate-limiting
by hased corresponding IP address.

IE:
 hash=gethash(source);
 if (!hash) {hash=gethash(dest)}
 if (hash) ratelimiton(bucket(hash);

That way you could (on transit interfaces) specify a paltry limit
of (say) 10kb/s of ICMP (per (hashed) source/destination), even
when there was 'naturally' hundreds of Mb/s of ICMP flowing
through the interface in a non DDoS environment. And if
an IP gets DDoS'd (or sources a DDoS), the ratelimit would
only affect that IP (oh, and any hash equivalents) only.
As, for these purposes, dropping large numbers of relatively
inactive hash entries wouldn't be painful, I would have thought
this would be unlikely to suffer from the self-similarity
properties that made Netflow hard - but perhaps not.

Alex




More information about the NANOG mailing list