anycast and ddos

• Previous message (by thread): anycast and ddos
• Next message (by thread): anycast and ddos
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On May 6, 2005, at 12:40 PM, Randy Bush wrote:

> it seems that anycasting was quite insufficient to protect
> netsol's service from being severely damaged (udp dead, tcp
> worked) for a considerable length of time by a ddos [0] last
> week [1].  it would be very helpful to other folk concerned
> with service deployment to understand how the service in
> question was/is anycast, and what might be done differently
> to mitigate exposure of similar services.
>
> anyone have clues or is this ostrich city?  maybe a preso at
> nanog would be educational.

Seconded.


> [0] - as it seems that the ddos sources were ip address
>       spoofed (which is why the service still worked for
>       tcp), i owe paul an apology for downplaying the
>       immediacy of the need for source address filtering.

I was under the - possibly mistaken - impression that they activated  
their Riverhead boxes and that's why only TCP worked, not because of  
spoofed source.

Or are you saying that since the sources were spoofed, they could not  
filter the attack and had to resort to Riverhead's 'truncate' mechanism?


> [1] - netsol is not admitting anything happened, of course
>       <sigh>.  but we all saw the big splash as it hit the
>       water, the bubbles as it sank, and the symptoms made
>       the cause pretty clear.

How much does it suck that a major piece of Internet infrastructure  
was severely affected and the details are shrouded?

-- 
TTFN,
patrick

• Previous message (by thread): anycast and ddos
• Next message (by thread): anycast and ddos
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]