Over a decade of DDOS--any progress yet?
Thomas Mangin
thomas.mangin at exa-networks.co.uk
Wed Dec 8 15:10:37 UTC 2010
A less common action is to use flowspec (if you have some Juniper gear) to drop only the attack and hopefully not any legitimate traffic.
What is really missing atm is a way to filter flowspec announcements (limit the number and make sure they are for routes the peer is announcing). Until this is sorted I believe flowspec will be a marginal solution.
Thomas
PLUG: http://code.google.com/p/exabgp/
On 8 Dec 2010, at 13:46, alvaro.sanchez at adinet.com.uy wrote:
> A very common action is to blackhole ddos traffic upstream by sending a
> bgp route to the next AS with a preestablished community indicating the
> traffic must be sent to Null0. The route may be very specific, in order
> to impact as less as possible. This needs previous coordination between
> providers.
> Regards.
>
>> ----Mensaje original----
>> De: rdobbins at arbor.net
>> Fecha: 08/12/2010 10:53
>> Para: "North American Operators' Group"<nanog at nanog.org>
>> Asunto: Re: Over a decade of DDOS--any progress yet?
>>
>>
>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>>
>>> One big problem (IMHO) of DDoS is that sources (the host of
> botnets) may be completely unaware that they are part of a DDoS. I do
> not mean the bot machine, I mean the ISP connecting those.
>>
>> The technology exists to detect and classify this attack traffic, and
> is deployed in production networks today.
>>
>> And of course, the legitimate owners of the botted hosts are
> generally unaware that their machine is being used for nefarious
> purposes.
>>
>>> In the other hand the target of a DDoS cannot do anything to stop
> to attack besides adding more BW or contacting one by one the whole
> path of providers to try to minimize the effect.
>>
>> Actually, there're lots of things they can do.
>>
>>> I know that this has many security concerns, but would it be good
> a signalling protocol between ISPs to inform the sources of a DDoS
> attack in order to take semiautomatic actions to rate-limit the traffic
> as close as the source? Of course that this is more complex that these
> three or two lines, but I wonder if this has been considerer in the
> past.
>>
>> It already exists.
>>
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>
>> Sell your computer and buy a guitar.
>>
>>
>>
>>
>>
>>
>
>
>
More information about the NANOG
mailing list