2009 Worldwide Infrastructure Security Report available for download.
pekkas at netcore.fi
Thu Jan 21 11:34:51 UTC 2010
On Wed, 20 Jan 2010, Stefan Fouant wrote:
> Completely agree on the disturbing observation of the increase in
> rate-limiting as a primary mitigation mechanism for dealing with DDoS. I've
> seen more and more people using this as a mitigation strategy, against my
> advice. For anyone interested in more information on the topic, and why
> rate-limiting is akin to cutting your foot off, I highly recommend you take
> a look at the paper "Effectiveness of Rate-Limiting in Mitigating Flooding
> DoS Attacks" presented by Jarmo Molsa at the Third IASTED International
Thanks to Arbor for collecting the report and your observations.
One thing I found extremely strange is that almost 50% report they use
BCP38/Strict uRPF at peering edge, yet only about 33% use it in
customer direction. (Figure 13, p20)
I wonder if peering edge refers to "drop your own addresses" or real
strict uRPF (or the like)?
If not I'm curious if this is for real, and how in earth they're doing
it, especially given that in Fig 15 (p22) shows they don't implement
BGP prefix filtering. If you can't filter BGP, how could you filter
packets? Based on my experience, even if you filter BGP, you may not
be able to filter packets except in simple scenarios.
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG