New Solution: (was: Re: Counter DoS)
Deepak Jain
deepak at ai.net
Thu Mar 11 22:17:35 UTC 2004
Here is a solution I would like to propose -- it is not as
set-and-forget as network operators like, but we do know that some of
our customers have a lot of expertise with this stuff, and taking
advantage of that value helps. This is along the categories of
collateral damage, scorched earth and generally punitive action for
DDOS-compromised hosts. Because not everyone will read every line, I am
going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT
AWAY FROM THEM. This will be backfire if its used for Spam blackholes,
it will really only have an affect in the narrower DDOS space.
Along with the idea of blackhole communities. I do NOT recommend it be
turned on across-the-board for every customer, and once it has reached
penetration, say 20-30% of the internet backbones use this feature -- it
should be phased back and only be an ICB item. (called Planned Obl.)
Just like the blackhole community routes, certain /32's (only, nothing
shorter) can be exported from the customer to the backbone to be
blackholed at the edges. The twist, is that instead of limited the
customer announcement to the customer's IPs, you force only /32s to be
announced for the blackhole prefixes and limit the total number of
prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
So say, joe-customer has identified his top 50 DDOS sources, he
announces them to you, voila, DDOS gone. (even for spoofed traffic,
depending on how your filters are set up) Obviously these would be
no-export routes so no peer need be worried.
The theory - It creates an actual, measured response to customer
machines being vulnerable. It makes parts ( ideally large parts ) of the
internet unavailable to those with vulnerable computers.
The bad side - People could black hole important sites, until the
ALL-CAPS rule is applied.
The somewhat less bad, bad side - Most of these /32s wouldn't be removed
until cable provider called the blackholing provider.
The reality is that these filters are probably created today by backbone
security folks, so the question is how fast you want the
injections/rejections.
IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.
Comments?
Deepak
More information about the NANOG
mailing list