ONS - The few the proud ... the sleeping
Stephen Wilcox
steve.wilcox at packetrade.com
Fri Aug 17 10:51:47 UTC 2007
On Thu, Aug 16, 2007 at 04:00:36PM +0100, michael.dillon at bt.com wrote:
>
> > Unless all these bots are directly connected (direct
> > customer) and concentrated on one portion of the network (not
> > spread across the entire access layer) I can't imagine with
> > the tools, features, products, etc that are available today
> > (that can almost manage dDoS attacks for you) that it
> > couldn't be mitigated. 5-6 years ago this would have been a
> > lot tougher, but it was still doable.
>
> Remote triggered BGP blackhole filtering comes to mind
> ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi
> ltering-02.pdf
>
> And if the bots are directly connected or concentrated in one point of
> the network, it seems to me that simple ACLs can mitigate the attack.
>
> I agree that DDoS is not likely to take down a network big enough to be
> called a backbone unless there is some kind of unforeseen side effects
> to the DDoS.
unless they are not 'in' the network and hence cant be stopped internally and have the potential to overwhelm any external interface.. these cannot be mitigated without cooperation from other networks
Steve
More information about the NANOG
mailing list