UUNet Offer New Protection Against DDoS
Steve Francis
steve at expertcity.com
Sat Mar 6 20:37:20 UTC 2004
Christopher L. Morrow wrote:
>>miniscule amounts of traffic in uunet's core is still enough to ddos many
>>a victim into oblivion. anyone who has been ddos'd by uunet customers can
>>appreciate that.
>>
>>
>
>miniscule is enough to cause problems in anyone's network.... the point
>here was: "Core isn't the right place for this" I wasn't really trying to
>argue the 'urpf is good' or 'urpf is bad' arguement, just the placement.
>
>Sorry if I made that confusing earlier.
>
>
>
So we all agree that in the ideal world, everyone has anti-spoofing ACLs
and route map filters and what not on every link into their network.
But in the real world...given that you are going to be peering with ISPs
(or their upstreams) that do not do uRPF or anything at all on their
edges, if you want to drop the patently bogus traffic, or your
customers don't want to pay you for delivering it to them over links
they don't want congested with it, what do you do?
I guess you can say "peering links are not core", and that's fine if you
run loose-uRPF there, and can be assured that all access to your network
has filters on all links. I was thinking of large peering routers as
part of the core of an ISP, so loose-uRPF is sufficient on those
routers, if edges are protected.
But if you are going to run loose-uRPF on your peering routers, why not
run it on your core? Is there a technogical reason not to? Cisco OC48
line cards not support it (at least some do.), I'm almost sure Juniper
does too. But I don't play in that area.
And given that there are ISP's running it in the core; that it will
block some malicious traffic; and spoofed traffic may well be used as an
attack vector again (sometime people are going to have to catch on and
patch machines, or worms will patch them for them, and reduce the botnet
farm size. Maybe not this year, but sometime...), I still don't see why
you are against it.
I accept that filtering on all edges, including peering, is a better
place to do it. So do you filter on, say, peering links to other tier
1's? Even so, why not have belt AND suspender, and run it in the core?
More information about the NANOG
mailing list