[AusNOG] Consensus from the IETF 88 Technical Plenary - Internet hardening

Damian Guppy the.damo at gmail.com
Sat Nov 9 00:11:30 EST 2013


I was under the impression that encryption (IPSEC) did not hide the source
and destination in the header? I was also unaware that it randomized the
size of the packets? It would still be trivial to identify a syn flood by
seeing a lot of new source addresses sending packets with no payload.
Heaven forbid some one would actually have to create this new set of rules
though.

Personally if i was paying some one to DDoS mitigate for me I wouldn't have
a problem providing them with a key to be able to terminate the traffic.

--Damian


On Fri, Nov 8, 2013 at 8:59 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

>
> On Nov 8, 2013, at 7:43 PM, Karl Auer <kauer at biplane.com.au> wrote:
>
> > Seems to me that is the point of encryption!
>
> Making it impossible to detect/classify/traceback and then mitigate DDoS
> attacks, identify botnet C&Cs, etc. isn't the point of encryption, but is a
> side-effect of overencryption.
>
> No, folks aren't going to share all their keys and certs with all the ISPs
> in the world, that would defeat the purpose of having them the first place.
>
> No, folks aren't going to mitigate a 100gb/sec+ DDoS attack in their IDC
> after you've decrypted the DDoS traffic.
>
> No, folks aren't going to successfully  detect, classify, & mitigate
> layer-4 or layer-7 DDoS attacks which cause their public-facing properties
> to fall over because the tunnel termination points are likely going to be
> devices which fall over due to state exhaustion due to said attacks.
>
> Encrypting everything, all the time, is a recipe for disaster.
>
> Enough on this topic.  No more replies - I've said my piece, and then some.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131108/3eece2b5/attachment.html>


More information about the AusNOG mailing list