[AusNOG] DDOS mitigation

David Miller dmiller at tiggee.com
Fri May 10 02:11:41 EST 2013


On 09/05/2013, at 6:12 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>> On May 9, 2013, at 1:37 PM, Matt Carter wrote:
>>
>>> Consider if you want to blackhole a /32 because it is under attack, with some of the bit rates seem of recent attacks, its potentially/likely affecting the upstream provider aswell and may have impact to their other customers or at least a segment of their access network.
>> It's odd how folks still tend to focus on destination-based blackholing, when S/RTBH works quite well:
>>
>> <http://tools.ietf.org/html/rfc5635>
>>
>> <https://www.box.com/s/xznjloitly2apixr5xge>
>>
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>
> On 05/09/2013 04:38 AM, Chris Chaundy wrote:
> Well Nextgen offers RTBH, as do Tata/VSNL, Verizon and NTT and others mentioned.  Start the process of elimination. :-)
>
> BTW, we modify/propagate the community where possible to stop things closer to the source.
>
> Re: S/RTBH, we use customer ingress filtering and we don't trust customers to apply this (easy to accidentally or deliberately take out someone else, see 4.1 in the RFC noted below), but we can apply this from the NOC after vetting things.  The one drawback is that you really need to carry full routing tables everywhere.
>
> Cheers, Chris Chaundy

D/RTBH should be available, at a very minimum, from any transit
provider.  If it isn't available, then run (don't walk) to another
provider.  I would use the fact that it is not available from a provider
as a sign of lack of preparedness on several other levels.

D/RTBH completes the attack unless you move the host to another
address.  If your attackers are a bit sophisticated they will follow DNS
changes.  Some can follow DNS even if you are prepared to fast flux the
host.

BTW: If a transit provider modifies/propagates the community to pass the
D/RTBH route on to other networks, I would want a community to be
provided that could prevent that from happening.

+1  No transit providers provide S/RTBH to customers for the reasons
pointed out above and in the RFC.  Perhaps very few transit providers
offer it to customers, I've never seen it.  I would be greatly concerned
by any provider that did offer it to any customer other than me.

What we should ALL be shouting at router vendors and transit providers
to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).

-DMM

A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?

[control target='mind']You will implement BCP 38.[end control]




More information about the AusNOG mailing list