ddos attacks

Saku Ytti saku at ytti.fi
Fri Dec 20 08:27:21 UTC 2013


On (2013-12-20 03:24 +0000), Dobbins, Roland wrote:

> > I think ipv4 udp is just going to become operationally deprecated.  Too much pollution.  It is really an epic amount of trash / value ratio in ipv4 udp.
> 
> This isn't a realistic viewpoint.

What are realistic options?

a) QUIC and MinimaLT
    - 0 RTT overhead, like UDP
    - no reflection attacks, like TCP
    - all traffic encrypted
    - parity packets to match packet loss to avoid need for resends (QUIC)
    - non-bursty via packet pacing 
    - solution for buffer bloat (packet pacing can be affected by changing
      latency) (QUIC)
    - CPU hit, encryption isn't free, but shouldn't be issue today
    - mobility, IP is not needed to recognize end-point, you can hop from
      WLAN to 4G without disconnecting

b) ACL between transit provider and transit customer
    - <50k ports to configure in whole world to make UDP reflection useless
      DoS vector

c) ACL/RPF in significant portion of access ports in whole world
    - i'm guessing significant portion of access ports are on autopilot with
      no one to change their configs, so probably not practical.
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
> 	  Luck is the residue of opportunity and design.
> 
> 		       -- John Milton
> 
> 

-- 
  ++ytti



More information about the NANOG mailing list