North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Is there a line of defense against Distributed Reflective attacks?
- From: John Kristoff
- Date: Fri Jan 17 14:51:49 2003
On Fri, 17 Jan 2003 18:38:08 +0000 (GMT)
"Christopher L. Morrow" <chris@UU.NET> wrote:
> > has something called Source Path Isolation Engine (SPIE). There
> This would be cool to see a design/whitepaper for.. Kelly?
In addition to David's link:
> > mentioned, which penalize or limit high rate flows are not widely
> > deployed yet.
> (see above, is this what you really want?)
I happen to like the idea of using something like a RED queue that can
more aggressively drop traffic that is 'out of profile' in times of
congestion. Like most things, this probably really works best at the
edges of the network, but my gut feeling is that it can be a relatively
fair and elegant approach. However, it doesn't really solve the DoS
problem, it is really trying to just solve a congestion problem, but it
may have some nice side effects.
For example, I'm planning on trying out some new features from our
border router vendor, where we set a more aggressive RED drop profile
per source IP within our netblock where the source exceeds a configured
transmission rate. The basic idea being to get the high load offering
sources to slow down in times of high usage/congestion. Hopefully they
use TCP, but if not, perhaps drop even more aggressively? If the
capacity is there, high load sources get through.
So, this doesn't stop attacks, but tries to keep some valid data flowing
through a limited egress pipe or in other words, try to provide some
fairness between multiple sources in times of high load. Of course, if
everyone hits the ENTER key at the same time this does't work, but
hopefully statistically multiplexing is working as well as it always has