New Solution: (was: Re: Counter DoS)
James
haesu at towardex.com
Fri Mar 12 04:38:04 UTC 2004
the thing is though, by allowing any /32's... what prevents
/all/ customers from abusing it by curiosity of what would
happen? :)
the fact that you are allowing any /32's (up to 100 or whatever
max prefix lim. you set) is like giving a can of worms to your
customers. i don't think its even worth the effort to bother when
you have more than couple customers abusing it
security for one, SLA for the other, thirdly i just don't trust
customers injecting routes into my backbone w/o telling us.
i don't think bgp or a routing protocol is the right way to solve
infected-machines participating in ddos nets.
-J
On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
>
>
> Here is a solution I would like to propose -- it is not as
> set-and-forget as network operators like, but we do know that some of
> our customers have a lot of expertise with this stuff, and taking
> advantage of that value helps. This is along the categories of
> collateral damage, scorched earth and generally punitive action for
> DDOS-compromised hosts. Because not everyone will read every line, I am
> going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT
> AWAY FROM THEM. This will be backfire if its used for Spam blackholes,
> it will really only have an affect in the narrower DDOS space.
>
> Along with the idea of blackhole communities. I do NOT recommend it be
> turned on across-the-board for every customer, and once it has reached
> penetration, say 20-30% of the internet backbones use this feature -- it
> should be phased back and only be an ICB item. (called Planned Obl.)
>
> Just like the blackhole community routes, certain /32's (only, nothing
> shorter) can be exported from the customer to the backbone to be
> blackholed at the edges. The twist, is that instead of limited the
> customer announcement to the customer's IPs, you force only /32s to be
> announced for the blackhole prefixes and limit the total number of
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
>
> So say, joe-customer has identified his top 50 DDOS sources, he
> announces them to you, voila, DDOS gone. (even for spoofed traffic,
> depending on how your filters are set up) Obviously these would be
> no-export routes so no peer need be worried.
>
> The theory - It creates an actual, measured response to customer
> machines being vulnerable. It makes parts ( ideally large parts ) of the
> internet unavailable to those with vulnerable computers.
>
> The bad side - People could black hole important sites, until the
> ALL-CAPS rule is applied.
>
> The somewhat less bad, bad side - Most of these /32s wouldn't be removed
> until cable provider called the blackholing provider.
>
> The reality is that these filters are probably created today by backbone
> security folks, so the question is how fast you want the
> injections/rejections.
>
> IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.
>
> Comments?
>
> Deepak
--
James Jun TowardEX Technologies, Inc.
Technical Lead Network Design, Consulting, IT Outsourcing
james at towardex.com Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
More information about the NANOG
mailing list