UUNet Offer New Protection Against DDoS

• Previous message (by thread): UUNet Offer New Protection Against DDoS
• Next message (by thread): UUNet Offer New Protection Against DDoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christopher L. Morrow wrote:

>>miniscule amounts of traffic in uunet's core is still enough to ddos many
>>a victim into oblivion. anyone who has been ddos'd by uunet customers can
>>appreciate that.
>>    
>>
>
>miniscule is enough to cause problems in anyone's network.... the point
>here was: "Core isn't the right place for this" I wasn't really trying to
>argue the 'urpf is good' or 'urpf is bad' arguement, just the placement.
>
>Sorry if I made that confusing earlier.
>
>  
>
So we all agree that in the ideal world, everyone has anti-spoofing ACLs 
and route map filters and what not on every link into their network.
But in the real world...given that you are going to be peering with ISPs 
(or their upstreams) that do not do uRPF or anything at all on their 
edges,  if you want to drop the patently bogus traffic, or your 
customers don't want to pay you for delivering it to them over links 
they don't want congested with it, what do you do?

I guess you can say "peering links are not core", and that's fine if you 
run loose-uRPF there, and can be assured that all access to your network 
has filters on all links.    I was thinking of large peering routers as 
part of the core of an ISP, so loose-uRPF is sufficient on those 
routers, if edges are protected.

But if you are going to run loose-uRPF on your peering routers, why not 
run it on your core? Is there a technogical reason not to? Cisco OC48  
line cards not support it (at least some do.), I'm almost sure Juniper 
does too. But I don't play in that area.

And given that there are ISP's running it in the core; that it will 
block some malicious traffic; and spoofed traffic may well be used as an 
attack vector again (sometime people are going to have to catch on and 
patch machines, or worms will patch them for them, and reduce the botnet 
farm size. Maybe not this year, but sometime...), I still don't see why 
you are against it.

I accept that filtering on all edges, including peering, is a better 
place to do it. So do you filter on, say, peering links to other tier 
1's? Even so, why not have belt AND suspender, and run it in the core?

• Previous message (by thread): UUNet Offer New Protection Against DDoS
• Next message (by thread): UUNet Offer New Protection Against DDoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]