[AusNOG] Stopping Amplification Attacks
Paul Wilkins
paulwilkins369 at gmail.com
Wed Apr 12 15:47:23 EST 2017
There is unfortunately, zero mandatory requirement on ISPs to provide any
sort of RPF checks. They could have introduced this with the data retention
requirements, and actually materially improved Australian internet.
Opportunity missed. Not implementing BCP38 produces the same externality
effect as pollution, where there is a cost maintaining a clean environment,
but the cost of polluting is born by some poor Charlie you never have to
meet. It's a classic market failure, and basically that's one of the
reasons we recognise the authority of the State, to stop people shoving
their garbage on other poor Charlie's. So tax payers ought be asking their
local members, if they're paying tax on their internet, why hasn't the
State mandated RPF protection?
This is very much "watch this space" territory, post DDOS on the Australian
Census, post DDOS UK Euro referendum. Australia is blessed by geography
regards DDOS, where we could very effectively separate national from
international traffic, and then mandate BCP38 for ISPs and international
carriers, through the use of BGP community, ala Team Cymru.
Kind regards
Paul Wilkins
On 12 April 2017 at 15:12, Boblobsta . <boblobsta at gmail.com> wrote:
> It's very important to note that they are vastly different solutions and
> not directly comparable.
>
> As mentioned earlier in this thread, what OP is talking about is called
> BCP38 and it is (imo) the most important first step for a network owner to
> take.
> It costs nothing but a bit of solid planning (we all do this already,
> right?!) and it ensures that your network can not originate spoofed traffic.
>
> If everybody did that the need for any DDoS hardware would be very low.
>
> Further from that first step, you can purchase vendor hardware to provide
> your network with additional protection *against other networks who
> choose not to use BCP38.*
>
> Cheers,
> Bob W
>
> On 12 April 2017 at 15:00, Chad Kelly <chad at cpkws.com.au> wrote:
>
>> On 4/12/2017 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>>
>>> Given the way amplification attacks work - where you spoof the source IP
>>> address to be that of the target and then find services that can respond
>>> with significantly larger response (e.g. DNS, NTP etc), I am wondering
>>> if it is considered good practice at the ISP level to block traffic
>>> leaving your network with any source addresses that do not match your
>>> own address range or that of your clients.
>>>
>>> Do many/all ISPs do this? Are there any practical complications from
>>> doing this?
>>>
>> Any of the well known DDoS Attack prevention tools such as those offered
>> by Ns Focus should do what you want.
>> Without blocking legitimate traffic, heck even AWS has DDoS protection
>> available now a days as an add on product.
>> https://nsfocusglobal.com/solutions-overview/premise-ddos-protection-2/
>> https://aws.amazon.com/shield/
>>
>> This at least gives you a couple of solutions to look at anyway.
>>
>> Regards Chad.
>>
>>
>> --
>> Chad Kelly
>> Manager
>> CPK Web Services
>> web www.cpkws.com.au
>> phone 03 5273 0246
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170412/ecaee896/attachment.html>
More information about the AusNOG
mailing list