Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: engineering --> ddos and flooding

  • From: Paul Johnson
  • Date: Mon Jun 04 12:23:23 2001

Hash: SHA1

Sorry but IMESHO null routing a /32 during a DoS attacck doesn't exactly
strike me as engineering. It is more like dealing with the attack in
real-time. To mean engineering would mean desinging networks 
to be resistant to DDoS and flooding in the first plsce. 

To that end no NSP should ever allow spoofed IP addresses outside of
their network. (not just RFC 1918 addresses but valid IPs that don't
belong to that NSP)

	e.e if I'm have a circut from C&W nd I try to spoof a packet
	eith a source address of it should be dropped as
	close to the edge of C&W's network as possible. 

	note on RFC 1918 addresses: These should never get past customer
	edge routers IMESHO.

Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
networks in such a way that it can never DoS a T-1 (or E-1 if you are
not in the US). [note: I'm not sure if ciso's are up for this workload
since I primarily work with Juniper.]

Three NSPs should lock down their gear so it can't be used for DoS
amplification. I mean a clueless customer getting burned is one thing
but we should expect & demand more from NSPs. 

[note: my primary responsiblity in life is security not networking.I
know just enough networking to be dangerous and annoying to our
Networking dept. :-) ]

On Mon, 4 Jun 2001, Geoff Zinderdine wrote:
> > Assuming not adding the extra connection, this means that upstream
> > prefix filtering, so that one can't mistakenly inject 255 /24s
> > rather than a single /16, would go out the window.  Now think about
> > /32s and what the routing tables will start to look like.  Now
> > onsider that the upstream would also want to send to its upstream
> > Tier-1 the NULLROUTE /32 as well so that his bandwidth is not eaten
> > up as well and we have asituation whereby routing table size will
> > triple in size every year.
> This is a stop gap measure for customer networks.  Those null routed
> /32s are not meant to be permanently advertised, they are meant to  
> free the customer's pipe from smurf/fraggle until the SP can do     
> something about it.  What would be the point of permanently
> blackholing a host on your network?

One more problem...what if your mail/web server is the target of the
attack you have just taken that resource effectively off-line. No need
to continue the DoS you've done the work of the attacker. 

> I would imagine that most tier 1's are going to filter anything longer
> than a /24 whether you advertise it or not.  The question isn't about 
> route table size, it is whether your SP will go the extra mile to give
> you a proactive option to deal with attack and has someone clueful to 
> implement it that will take responsibility for it (not that it is
> hard).
> This is a very limited measure that only helps in a very particular
> situation for a small subset of customer networks.  I think it is a
> very useful tool for that particular situation... it is not meant as a   
> principle that SP networks should apply to their upstream as well.

Paul Johnson
Ratoath, Co. Meath
Republic of Ireland
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: pgpenvelope -


Version: GnuPG v1.0.1 (GNU/Linux)
Comment: pgpenvelope -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.