New Solution: (was: Re: Counter DoS)

• Previous message (by thread): New Solution: (was: Re: Counter DoS)
• Next message (by thread): Counter DoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	the thing is though, by allowing any /32's... what prevents
	/all/ customers from abusing it by curiosity of what would
	happen? :)

	the fact that you are allowing any /32's (up to 100 or whatever
	max prefix lim. you set) is like giving a can of worms to your
	customers. i don't think its even worth the effort to bother when
	you have more than couple customers abusing it

	security for one, SLA for the other, thirdly i just don't trust
	customers injecting routes into my backbone w/o telling us.

	i don't think bgp or a routing protocol is the right way to solve
	infected-machines participating in ddos nets.

-J

On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
> 
> 
> Here is a solution I would like to propose -- it is not as 
> set-and-forget as network operators like, but we do know that some of 
> our customers have a lot of expertise with this stuff, and taking 
> advantage of that value helps. This is along the categories of 
> collateral damage, scorched earth and generally punitive action for 
> DDOS-compromised hosts. Because not everyone will read every line, I am 
> going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT 
> AWAY FROM THEM. This will be backfire if its used for Spam blackholes, 
> it will really only have an affect in the narrower DDOS space.
> 
> Along with the idea of blackhole communities. I do NOT recommend it be 
> turned on across-the-board for every customer, and once it has reached 
> penetration, say 20-30% of the internet backbones use this feature -- it 
> should be phased back and only be an ICB item. (called Planned Obl.)
> 
> Just like the blackhole community routes, certain /32's (only, nothing 
> shorter) can be exported from the customer to the backbone to be 
> blackholed at the edges. The twist, is that instead of limited the 
> customer announcement to the customer's IPs, you force only /32s to be 
> announced for the blackhole prefixes and limit the total number of 
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
> 
> So say, joe-customer has identified his top 50 DDOS sources, he 
> announces them to you, voila, DDOS gone. (even for spoofed traffic, 
> depending on how your filters are set up) Obviously these would be 
> no-export routes so no peer need be worried.
> 
> The theory - It creates an actual, measured response to customer 
> machines being vulnerable. It makes parts ( ideally large parts ) of the 
> internet unavailable to those with vulnerable computers.
> 
> The bad side - People could black hole important sites, until the 
> ALL-CAPS rule is applied.
> 
> The somewhat less bad, bad side - Most of these /32s wouldn't be removed 
> until cable provider called the blackholing provider.
> 
> The reality is that these filters are probably created today by backbone 
> security folks, so the question is how fast you want the 
> injections/rejections.
> 
> IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.
> 
> Comments?
> 
> Deepak

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james at towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

• Previous message (by thread): New Solution: (was: Re: Counter DoS)
• Next message (by thread): Counter DoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]