Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Level3 routing issues?

  • From: Iljitsch van Beijnum
  • Date: Sun Jan 26 07:51:53 2003

On Sat, 25 Jan 2003, K. Scott Bethke wrote:

> > Keep in mind that these problems aren't from 'well behaved' hosts, and
> > 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED....
> > classic DoS attack scenario. :(

> I understand the evils, but are we really at the mercy of situations like
> this?  Of course we can firewall the common sense things ahead of time,

I don't think this one could have been reasonably firewalled using a
non-stateful firewall (such as a simple router access list): the port is
unpriviliged so it will be used as a source port for regular UDP traffic
such as DNS queries. However, rate limiting UDP would have helped. This
is a reasonable thing to do for customers that have a lot of bandwidth
but don't run high-bandwidth UDP protocols.

> we can jump right in and block evil traffic when it happens, after it takes
> down our network but what sorts of things can we design into our networks
> today to help with these situations?

Rate limit everything you can rate limit, make sure your routers and
switches have enough CPU even if interfaces are saturated with
minimum-sized packets to random destinations. But this type of rDOS
(reversed denial of service) is easy: you can simply filter the
offending systems. If it's the other way around (DOS) there is not much
you can do.

To really solve this we need a mechanism for destination hosts to
authorize source hosts to send data in such a way that intermediate
routers/firewalls can check this authorization and drop unauthorized
packets.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.