Over a decade of DDOS--any progress yet?

• Previous message (by thread): Over a decade of DDOS--any progress yet?
• Next message (by thread): Over a decade of DDOS--any progress yet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A less common action is to use flowspec (if you have some Juniper gear) to drop only the attack and hopefully not any legitimate traffic.
What is really missing atm is a way to filter flowspec announcements (limit the number and make sure they are for routes the peer is announcing). Until this is sorted I believe flowspec will be a marginal solution.

Thomas

PLUG: http://code.google.com/p/exabgp/

On 8 Dec 2010, at 13:46, alvaro.sanchez at adinet.com.uy wrote:

> A very common action is to blackhole ddos traffic upstream by sending a 
> bgp route to the next AS with a preestablished community indicating the 
> traffic must be sent to Null0. The route may be very specific, in order 
> to impact as less as possible. This needs previous coordination between 
> providers.
> Regards.
> 
>> ----Mensaje original----
>> De: rdobbins at arbor.net
>> Fecha: 08/12/2010 10:53 
>> Para: "North American Operators' Group"<nanog at nanog.org>
>> Asunto: Re: Over a decade of DDOS--any progress yet?
>> 
>> 
>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>> 
>>> 	One big problem (IMHO) of DDoS is that sources (the host of 
> botnets) may be completely unaware that they are part of a DDoS. I do 
> not mean the bot machine, I mean the ISP connecting those.
>> 
>> The technology exists to detect and classify this attack traffic, and 
> is deployed in production networks today.
>> 
>> And of course, the legitimate owners of the botted hosts are 
> generally unaware that their machine is being used for nefarious 
> purposes.
>> 
>>> 	In the other hand the target of a DDoS cannot do anything to stop 
> to attack besides adding more BW or contacting one by one the whole 
> path of providers to try to minimize the effect.
>> 
>> Actually, there're lots of things they can do.
>> 
>>> 	I know that this has many security concerns, but would it be good 
> a signalling protocol between ISPs to inform the sources of a DDoS 
> attack in order to take semiautomatic actions to rate-limit the traffic 
> as close as the source? Of course that this is more complex that these 
> three or two lines, but I wonder if this has been considerer in the 
> past.
>> 
>> It already exists.
>> 
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>> 
>> 	       Sell your computer and buy a guitar.
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 

• Previous message (by thread): Over a decade of DDOS--any progress yet?
• Next message (by thread): Over a decade of DDOS--any progress yet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]