Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Alexei Roudnev
alex at relcom.net
Thu Jun 3 05:40:11 UTC 2004
You even do not need to maintain ACL - many routers have 'back-path
verification' feature.
I wonder, why DSL and other 'consumer level' providers are not doing it for
100% of their customers.
----- Original Message -----
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <nanog at merit.edu>
Sent: Wednesday, June 02, 2004 8:25 AM
Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now Available
With AT&T
> John Obi wrote:
> > ... since DDoS is the
> > nightmare of the internet now.
> >
>
> The sad fact is that simple ingress and egress filtering would
> eliminate the majority of bogus traffic on the Internet -- including
> (D)DoS attacks. If all ISPs would simply drop all outbound packets
> whose source address is not a valid IP for the subnet of origin,
> and all inbound packets that do not have valid source IP addresses,
> the DDoS problem would be (for all intents and purposes) fixed. If
> proper filtering was done, then any DoS attacks would have to have
> either valid source IP addresses, or IP addresses that spoofed IPs
> within their network of origin. In either case, identifying and
> shutting down the attackers would become a greatly simplified task
> compared to the mess it is today.
>
> Why no filtering by ISPs? "Because it takes resources and only benefits
> the other guy" -- unless your network is the one under attack.
>
> Maintenance of the ACLs should not be the issue. A single ACL for each
> subnet would be all that would be required for egress filtering. About
> 30 ACLs on an inbound border router would be required for ingress
> filtering. Keeping the ingress ACLs current is a brain-dead task -- just
> subscribe to the bogon mailing list at cymru.com.
>
> ACLs have had a bad reputation for greatly slowing down routers. That
> may have been true in the past, but properly written ACLs do not seem
> to have a significant impact on most new routers. Yes, they may cut
> peak through-put a few percent -- but if you are running that close to
> the edge, it is time to upgrade anyway.
>
> IMHO, there is absolutely no excuse for not doing ingress and egress
> filtering. In fact, if you are an ISP, I would argue that you are
> negligent in your fiduciary responsibilities to your customers and
> shareholders if you are not filtering source IP addresses.
>
> Fancy solutions may make great marketing, but simple proper router
> filtering is a very workable lower-cost solution.
>
> (Step down from soap box.) At least, that's my $0.02 worth.
>
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC USA
> (843) 849-8214
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
More information about the NANOG
mailing list