ddos attacks

cb.list6 cb.list6 at gmail.com
Thu Dec 19 21:39:25 UTC 2013


On Dec 19, 2013 4:25 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>
>
> On Dec 19, 2013, at 6:12 AM, cb.list6 <cb.list6 at gmail.com> wrote:
>
> > I am strongly considering having my upstreams to simply rate limit ipv4
UDP.
>
> QoS is a very poor mechanism for remediating DDoS attacks.  It ensures
that programmatically-generated attack traffic will 'squeeze out'
legitimate traffic.
>

I agree. But ... i am pretty sure i am going to do it. Trade offs.

> > During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen,
whatever).
>
> Have you checked to see whether you and/or your customers have open DNS
recursors, misconfigured CPE devices, etc. which can be used as
reflectors/amplifiers on your respective networks?
>
> Have you implemented NetFlow and S/RTBH?  Considered building a
mitigation center?
>
> <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
>
> Do you work with your peers/upstreams/downstreams to mitigate DDoS
attacks when they ingress your network?
>

Not answering any of that. But thanks for asking.

> There are lots of things one can do to increase one's ability to detect,
classify, traceback, and mitigate DDoS attacks, yet which aren't
CAPEX-intensive.
>

I think ipv4 udp is just going to become operationally deprecated.  Too
much pollution.  It is really an epic amount of trash / value ratio in ipv4
udp.

I recommend folks enable their auth dns servers for ipv6 ... and dont run
open resolvers

CB

> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton
>
>


More information about the NANOG mailing list