DDOS, IDS, RTBH, and Rate limiting
frnkblk at iname.com
Sun Nov 9 02:42:38 UTC 2014
There's no doubt, rate-limiting is a poor-man's way of getting the job done,
but for small operators who aren't as well instrumented (whether that due to
staff or resources), a simple rule such as:
access-list 100 ip host 0.0.0.0 0.0.0.0 rate-limit 200000
access-list 100 ip host 0.0.0.0 0.0.0.255 rate-limit 5000000
int vlan 10
description Internet uplink
ip access-group 100 in
would be great.
Yes, the /32 under attack would essentially be out of service, but at least
the downstream network doesn't get congested and more customers affected.
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Roland Dobbins
Sent: Saturday, November 08, 2014 8:28 PM
Subject: Re: DDOS, IDS, RTBH, and Rate limiting
On 9 Nov 2014, at 8:59, Frank Bulk wrote:
> I've written it before: if there was a software feature in routers
> where I
> could specify the maximum rate any prefix size (up to /32) could
> that would be very helpful.
QoS generally isn't a suitable mechanism for DDoS mitigation, as the
programmatically-generated attack traffic ends up 'crowding out'
S/RTBH, flowspec, and other methods tend to produce better results.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG