RTBH and Flowspec Measurements - Stop guessing when the attack will over

Mon Feb 1 17:31:52 UTC 2021

I think most here know (way better than me) the concepts of DDoS, anomaly
detection, and reactions.

Some of the reactions that can be implemented to reduce the impact of an
attack are Remote-Triggered BlackHole and FlowSpec Filtering.

In theory, using FlowSpec would be possible to de source the trigger of
that FlowSpec announcement receives the measurements of the
Flowspec-Enforcer-Box the measurements of those rules.
But in fact, considering FlowSpec-Enforcement as-a-service, I've never seen
that happens between FlowSpec-RulesGenerator-Box and FlowSpec-Enforcer-Box
that are operated by different organizations.
(If some company does, please let me know.)

So, in practical actions, the FlowSpec-RulesGenerator-Box needs to play a
guessing game of how long will take until the attack ceases.
- First, send that FlowSpec Filtering for 3 minutes.
- After that initial timer expires and removing the FlowSpec Filtering,
measure the Flows of his own equipment.
- If the attack is still there, re-announce the FlowSpec Filter Rule for
more 15 minutes.
- Wait to expire again, if the attack is still there re-announce for more
30 minutes, and keep this on an eternal loop.

The same occurs with Remote-Triggered-Blackhole.
I need to remove it and feel it is still there.
And every time I do that, small partial outages occur at the destination
network.

Have you already imagined if those who implemented the RTBH or FlowSpec
could give you some feedback of how is the usage of that BH or FlowSpecDrop?

I really still don't know how to do this...
Or even know if already there is a solution to that and I'm trying to
invent the wheel.

What do you think about that?
Any Ideas?

-- 
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210201/cc16e104/attachment.html>