DDOS, IDS, RTBH, and Rate limiting

Frank Bulk frnkblk at iname.com
Sun Nov 9 01:59:45 UTC 2014

Here's a thought-provoking video on what Brocade has done with its SDN
software load on the MLX:
http://vimeo.com/87476840 (demo at ~15 minute mark)

I've written it before: if there was a software feature in routers where I
could specify the maximum rate any prefix size (up to /32) could receive,
that would be very helpful.  If my fastest speed (residential) customer was
100 Mbps and I specified that 200 Mbps was the highest, I would never see
high-rate attacks enter our network.


-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Eric C. Miller
Sent: Saturday, November 08, 2014 7:10 PM
To: NANOG (nanog at nanog.org)
Subject: DDOS, IDS, RTBH, and Rate limiting

Today, we experienced (3) separate DDoS attacks from Eastern Asia, all
generating > 2Gbps towards a single IP address in our network. All 3 attacks
targeted different IP addresses with dst UDP 19, and the attacks lasted for
about 5 minutes and stopped as fast as they started.

Does anyone have any suggestions for mitigating these type of attacks?

A couple of things that we've done already...

We set up BGP communities with our upstreams, and tested that RTBH can be
set and it does work. However, by the time that we are able to trigger the
black hole, the attack is almost always over.

For now, we've blocked UDP 19 incoming at our edge, so that if future,
similar attacks occur, it doesn't affect our internal links.

What I think that I need is an IDS that can watch our edge traffic and
automatically trigger a block hole advertisement for any internal IP
beginning to receive > 100Mbps of traffic. A few searches are initially
coming up dry...

Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

More information about the NANOG mailing list