North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: engineering --> ddos and flooding
- From: Valdis.Kletnieks
- Date: Mon Jun 04 14:56:06 2001
On Mon, 04 Jun 2001 12:20:41 EDT, Paul Johnson <email@example.com> said:
> Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> networks in such a way that it can never DoS a T-1 (or E-1 if you are
> not in the US). [note: I'm not sure if ciso's are up for this workload
> since I primarily work with Juniper.]
Hmm.. I'd be *REALLY* unhappy if our upstream decided to rate-limit SYN
packets to prevent a DoS of a T-1, since the smallest pipe we have
deployed is in the OC-3 category.
The problem is that a *distributed* DOS effectively bypasses this sort
of check - you have (for instance) 1000 zombie machines, each contributing
only a few packets per second. So none of THEM gets filtered. Each ISP
may have only 3-4 zombies, so even aggregated they don't trigger a filter.
Nothing trips a filter, until it gets loose inside a Tier-1, with traffic
converging on one outbound pipe to the victim from 8 or 10 different
peering points. And at THAT point, it's too late.
Operating Systems Analyst