DDOS, IDS, RTBH, and Rate limiting

Jon Lewis jlewis at lewis.org
Sun Nov 9 03:37:45 UTC 2014

On Sun, 9 Nov 2014, Roland Dobbins wrote:

> On 9 Nov 2014, at 10:12, Jon Lewis wrote:
>> The tricky part is when to remove the route...since you can't tell if the 
>> attack has ended while the target is black holed by your upstreams.
> You can with NetFlow, if you've D/RTBHed the IP in question on your own 
> infrastructure.  NetFlow reports statistics on dropped traffic (except on a 
> few platforms with implementation deficiencies).

I'm assuming from the OP's comment:

  "We set up BGP communities with our upstreams, and tested that RTBH can
  be set and it does work."

that they have their upstreams null routing the traffic, so they no longer 
see the attack traffic.

> But this kind of thing punishes the victim.  It's far better to do everything 
> possible to *protect* the target(s) of an attack, and only use D/RTBH as a 
> last resort.

I'm sure it's not always the case, but in my experience as a SP, the 
victim virtually always did something to instigate the attack, and is 
usually someone you don't want as a customer.  When I worked for a cloud 
hosting provider, the DDoS "victims" tended to be fraudulent signups who 
were doing malicious or anti-social things on the net and were not paying 
customers anyway.

As someone else mentioned, it's better to sacrifice the one target and end 
the impact quickly than to piss off all or even some subset of your 

  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the NANOG mailing list