[AusNOG] DDOS mitigation

Luke Iggleden luke+ausnog at sisgroup.com.au
Fri May 10 07:37:42 EST 2013


+1 for flowspec!

On 10/05/13 2:11 AM, David Miller wrote:
> On 09/05/2013, at 6:12 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>>> On May 9, 2013, at 1:37 PM, Matt Carter wrote:
>>>
>>>> Consider if you want to blackhole a /32 because it is under attack, with some of the bit rates seem of recent attacks, its potentially/likely affecting the upstream provider aswell and may have impact to their other customers or at least a segment of their access network.
>>> It's odd how folks still tend to focus on destination-based blackholing, when S/RTBH works quite well:
>>>
>>> <http://tools.ietf.org/html/rfc5635>
>>>
>>> <https://www.box.com/s/xznjloitly2apixr5xge>
>>>
>>> -----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>>
>> On 05/09/2013 04:38 AM, Chris Chaundy wrote:
>> Well Nextgen offers RTBH, as do Tata/VSNL, Verizon and NTT and others mentioned.  Start the process of elimination. :-)
>>
>> BTW, we modify/propagate the community where possible to stop things closer to the source.
>>
>> Re: S/RTBH, we use customer ingress filtering and we don't trust customers to apply this (easy to accidentally or deliberately take out someone else, see 4.1 in the RFC noted below), but we can apply this from the NOC after vetting things.  The one drawback is that you really need to carry full routing tables everywhere.
>>
>> Cheers, Chris Chaundy
>
> D/RTBH should be available, at a very minimum, from any transit
> provider.  If it isn't available, then run (don't walk) to another
> provider.  I would use the fact that it is not available from a provider
> as a sign of lack of preparedness on several other levels.
>
> D/RTBH completes the attack unless you move the host to another
> address.  If your attackers are a bit sophisticated they will follow DNS
> changes.  Some can follow DNS even if you are prepared to fast flux the
> host.
>
> BTW: If a transit provider modifies/propagates the community to pass the
> D/RTBH route on to other networks, I would want a community to be
> provided that could prevent that from happening.
>
> +1  No transit providers provide S/RTBH to customers for the reasons
> pointed out above and in the RFC.  Perhaps very few transit providers
> offer it to customers, I've never seen it.  I would be greatly concerned
> by any provider that did offer it to any customer other than me.
>
> What we should ALL be shouting at router vendors and transit providers
> to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).
>
> -DMM
>
> A. Because it breaks the logical sequence of discussion.
> Q. Why is top posting bad?
>
> [control target='mind']You will implement BCP 38.[end control]
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>




More information about the AusNOG mailing list