North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Level3 routing issues?
- From: Iljitsch van Beijnum
- Date: Sun Jan 26 07:51:53 2003
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
> > Keep in mind that these problems aren't from 'well behaved' hosts, and
> > 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED....
> > classic DoS attack scenario. :(
> I understand the evils, but are we really at the mercy of situations like
> this? Of course we can firewall the common sense things ahead of time,
I don't think this one could have been reasonably firewalled using a
non-stateful firewall (such as a simple router access list): the port is
unpriviliged so it will be used as a source port for regular UDP traffic
such as DNS queries. However, rate limiting UDP would have helped. This
is a reasonable thing to do for customers that have a lot of bandwidth
but don't run high-bandwidth UDP protocols.
> we can jump right in and block evil traffic when it happens, after it takes
> down our network but what sorts of things can we design into our networks
> today to help with these situations?
Rate limit everything you can rate limit, make sure your routers and
switches have enough CPU even if interfaces are saturated with
minimum-sized packets to random destinations. But this type of rDOS
(reversed denial of service) is easy: you can simply filter the
offending systems. If it's the other way around (DOS) there is not much
you can do.
To really solve this we need a mechanism for destination hosts to
authorize source hosts to send data in such a way that intermediate
routers/firewalls can check this authorization and drop unauthorized