The DDOS problem & security BOF: Am i mistaken?

Jeffrey Lyon jeffrey.lyon at
Wed Oct 15 09:21:06 UTC 2008

Let me avoid being long winded and just put on my Captain Obvious
cape. Avoid magic DDoS appliances, particularly those that require
some type of relationship or deposit to be made in advance no matter
how "risk free." There is a reason why these vendor presentations
aren't meeting your expectations.

You're also dead on concerning one's ability to develop and deploy
OSS. Human capital is generally your best resource.

My two cents, Jeff

On Tue, Oct 14, 2008 at 7:08 PM, Scott Doty <scott at> wrote:
> First, the good news:  so far, the NANOG conference has been very valuable
> and
> content-rich, covering a lot of issues that need to be discussed.  For that,
> I am grateful.
> But now, the bad news(?):  Maybe it's just me & my paranoia, but do I detect
> an inkling of "murk spam" going on with some presentations?
> Because there seems to be a fundamental misunderstanding, either on my part,
> or the part of certain vendors: I'm hear to discuss ideas & freely share
> them, and they are here to discuss (it would seem) their products. Sometimes
> both goals coincide, and that is fine...but...
> When a vendor at the security BOF starts showing documents that are "company
> confidential", and trying to whip up a climate of fear, that we should all
> deploy their product in front of our recursive name servers, i get this
> funny feeling that I am being "murk spammed".
> Perhaps that is my own perspective (& paranoia?), but I found the CERT
> gentleman's call to monitor icmp backscatter on our authoritative
> nameservers far more informative -- and open.
> But I was disappointed with two vendors and their presentations: the first
> had the tactic of saying "DNSSEC is the actual solution" when asked about
> why their product would be necessary...completely ignoring the fact that
> their proprietary "interim solution" was by no means the only way to prevent
> cache poisoning attacks.  Indeed, I would daresay it isn't the best, either
> by a BCP perspective, or a cost analysis perspective.
> To put a finer point on this, i should say that i found myself discomforted
> by a presentation suggesting that I should put their proprietary appliances
> between my recursive name servers & the Net, and I am grateful that Mr.
> Vixie stood up and said that there are other ways of dealing with the
> problem.
> Then there was the gentleman with the DDOS detection/mitigation appliance,
> who flipped through several graphs, which were intended to show the number
> of each type of attack.  It's unfortunate that there wasn't more time for
> questions, because I really wanted to ask why "http GET" and "spidering"
> attacks weren't listen on their graphs...more on that in a second.
> Fortunately, said vendor had a table at "beer and gear", so I was able to
> talk with one of their representatives -- and learned that they have just as
> much trouble with automatic detection of attacks designed to look like a
> "slashdotting"...which cleared up the mystery as to why it wasn't on the
> graphs.
> Because this is a real problem:  anybody, with sufficient knowledge &
> preparation can vandalize _anybody's_ network.  Showing me a graph that ping
> floods happen all the time doesn't impress me -- what would impress me is
> going over the actual methods, algorithms (and heuristics?) used in these
> attack mitigation appliances.
> Because, the "best" attack mitigation appliance vendor would seem to have
> 100% of their market, and thus, charge exhorbant prices for their
> product(s).  When I brought this up with Mr. Vendor, his first reaction was
> to point out that the cost was less than a home-grown solution.  When I
> raised the question of open source software to do the same thing, his
> reaction was to ask:  "oh? who's going to write it?"
> And that right there would seem to be a bit of bravado, perhaps fueled by a
> misunderstanding of the role that FOSS has played on the Net.
> Fortunately -- and again, I am grateful for this -- the ISC was represented
> in the security BOF, presenting the SIE well as what
> applications _already exist_ to detect and mitigate various attacks.  One
> demonstration that blew me away:  detecting a botnet being set up for a
> phishing attack...and preventing the attack before it even started.
> So in conclusion, I'll say this:  the last NANOG I attended was NANOG 9 --
> and i remember that being a more challenging environment for vendors.
> Probably the biggest problem discussed back then was head-of-line blocking
> on a vendor's switches.  _That_ is the kind of content that i have found
> valuable, both on this list, and at a conference.
> And so:  If I weren't so knock-kneed in public venues,
> I would probably be doing what i would like to call on conference
> participants to do:  if someone gives a presentation that includes their own
> proprietary black-box "solution", I think the best benefit for NANOG would
> be to point out alternatives.
> -Scott
> p.s. sorry for the long post.

Jeffrey Lyon, President
Level III Information Systems Technician
jeffrey.lyon at |
Black Lotus Communications of The IRC Company, Inc.

Talk for 4h 45m from the U.S. to Latin America for $10.00:

More information about the NANOG mailing list