DDOS, IDS, RTBH, and Rate limiting

Frank Bulk frnkblk at iname.com
Sun Nov 9 02:42:38 UTC 2014


There's no doubt, rate-limiting is a poor-man's way of getting the job done,
but for small operators who aren't as well instrumented (whether that due to
staff or resources), a simple rule such as:
	access-list 100 ip host 0.0.0.0 0.0.0.0 rate-limit 200000
	access-list 100 ip host 0.0.0.0 0.0.0.255 rate-limit 5000000
	int vlan 10
        description Internet uplink
	 ip access-group 100 in
	!
would be great.

Yes, the /32 under attack would essentially be out of service, but at least
the downstream network doesn't get congested and more customers affected.

Frank

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Roland Dobbins
Sent: Saturday, November 08, 2014 8:28 PM
To: NANOG
Subject: Re: DDOS, IDS, RTBH, and Rate limiting


On 9 Nov 2014, at 8:59, Frank Bulk wrote:

> I've written it before: if there was a software feature in routers 
> where I
> could specify the maximum rate any prefix size (up to /32) could 
> receive,
> that would be very helpful.

QoS generally isn't a suitable mechanism for DDoS mitigation, as the 
programmatically-generated attack traffic ends up 'crowding out' 
legitimate traffic.

S/RTBH, flowspec, and other methods tend to produce better results.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>




More information about the NANOG mailing list