Unwanted Traffic Removal Service (UTRS)

• Previous message (by thread): Unwanted Traffic Removal Service (UTRS)
• Next message (by thread): netfilter/iptables synproxy; need help deciding
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 8, 2014 at 9:59 AM, John Kristoff <jtk at cymru.com> wrote:
> If you think this is a terrible idea and want to express all that is
> wrong with it, tell me that too, I can take it.

Hi John,

It's a good idea, I think, but it has a problem: it's an escalation in
an arms race that doesn't end well for the blue team. If we ever get
good at keeping traffic to a single IP far enough away to not cripple
us, the attacker need only spray the /24. Or spray our entire address
space, easily identifiable from our BGP announcement. All this effort
on our end and it took the attacker 15 minutes to modify his code.

Two general types of DDOS traffic: botnets and forged source addresses.

For the botnets, lots of real machines, each with a legitimate source
IP address, we need to get to a router interface as close to each
source address as we can get. Then temporarily shut down traffic from
that source address crossing that link until the data flow suggests
the problem traffic has ceased. Even if we have to pay the ISP who
owns that link to do it for us.

Quickly find it with automation. Quickly authenticate the attack flow.
Quickly pay for remediation.

For the address forgers, we need some kind of public detection system
where ISPs who care provide the trace tools that let us figure out
where the rogue attacking our network is _actually_ coming from. After
which we can pay the ISP to interdict any traffic destined for
anywhere in our network which enters from that link. Quickly with
automation

We can't win the arms race based on the destination; we'll only win it
if we find a way to zero in on and interdict the source.

Regards,
Bill Herrin


P.S. Also worth noting that paying a DDOS mitigation service can
already accomplish the best-case result from something like UTRS. The
mitigator announces the affected /24, sinks the attacked IP address
and tunnels the rest of the packets back to us. Expensive but easy
peasy.


-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?

• Previous message (by thread): Unwanted Traffic Removal Service (UTRS)
• Next message (by thread): netfilter/iptables synproxy; need help deciding
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]