automatic rtbh trigger using flow data
rdobbins at arbor.net
Sun Sep 2 03:02:43 UTC 2018
On 1 Sep 2018, at 1:35, Aaron Gould wrote:
> I may mark internet-sourced-udp with a certain marking dscp/exp so
> that as it travels through my internet
> network, it will be the first to get dropped (? Wred ? work well for
> udp?) during congestion when an attack gets through
You can use flow telemetry analysis to look at the UDP non-initial
fragments destined for any access networks under your control; you'll
likely see that they comprise a tiny portion of the overall traffic mix,
and they're most commonly associated with large DNS answers.
Once you've determined the numbers, you can police down the non-initial
fragments destined for the access networks you control (don't do this on
transit traffic!) to whatever small percentage makes the most sense,
with a bit of extra headroom. 1% of link bandwidth works for several
In that QoS policy, you exempt well-known/well-run open DNS recursor
farms like Google DNS, OpenDNS, et. al. (and possibly your own,
depending on your topology, etc.), and any other legitimate source CIDRs
which generate appreciable amounts of non-initial fragments.
When a reflection/amplification attack which involves non-initial
fragments hits, the QoS policy will sink a significant proportion of the
attack. It doesn't help with your peering links, but keeps the traffic
off your core and off the large network(s).
Again, don't apply this across-the-board; only do it for access networks
within your span of administrative control.
> * btw, what can you experts tell me about tcp-based volumetric
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG