Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: engineering --> ddos and flooding

  • From: Hank Nussbacher
  • Date: Tue Jun 05 01:21:50 2001

At 14:08 04/06/01 -0400, Matt Zito wrote:

> Sorry but IMESHO null routing a /32 during a DoS attacck
> doesn't exactly
> strike me as engineering. It is more like dealing with the attack in
> real-time. To mean engineering would mean desinging networks
> to be resistant to DDoS and flooding in the first plsce.
> To that end no NSP should ever allow spoofed IP addresses outside of
> their network. (not just RFC 1918 addresses but valid IPs that don't
> belong to that NSP)
>       e.e if I'm have a circut from C&W nd I try to spoof a packet
>       eith a source address of it should be dropped as
>       close to the edge of C&W's network as possible.
>       note on RFC 1918 addresses: These should never get past customer
>       edge routers IMESHO.
> Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> networks in such a way that it can never DoS a T-1 (or E-1 if you are
> not in the US). [note: I'm not sure if ciso's are up for this workload
> since I primarily work with Juniper.]

Rate-limiting ICMP is not so difficult - rate-limiting SYNs is basically
useless.  Syn floods work not because the amount of traffic they do, but
because they fill up state tables or make them so horribly inefficient as to
make the box cease responding on that port.  Given that, say, a linux box
has a default queue depth of 128, I can send 128 spoofed SYNs at a rate of
one a second, and in two minutes that box will stop responding.  The larger
you make the queue, the longer it will stand up to a slow SYN attack, but
the more costly each incoming SYN and SYN+ACK becomes, as the data
structures become more and more unwieldy.
If you have a good handle on how much SYN traffic you *normally* get, then placing a rate limit like:

rate-limit input access-group 190 64000 1200 1200 conform-action continue exceed-action drop
! Place your /16 here:
access-l 190 permit tcp any syn

will save your network from meltdown. Of course, good SYN pkts will get dropped with bad SYN pkts, but until something better comes along, we use what we can.



Matthew J. Zito
Systems Engineer, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
Ph: 212-798-9205
PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC  D2 06 B2 B0 BF 55 68 99

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.