Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UUNet Offer New Protection Against DDoS

  • From: Steve Francis
  • Date: Sat Mar 06 15:39:47 2004

Christopher L. Morrow wrote:

miniscule amounts of traffic in uunet's core is still enough to ddos many
a victim into oblivion. anyone who has been ddos'd by uunet customers can
appreciate that.

miniscule is enough to cause problems in anyone's network.... the point
here was: "Core isn't the right place for this" I wasn't really trying to
argue the 'urpf is good' or 'urpf is bad' arguement, just the placement.

Sorry if I made that confusing earlier.

So we all agree that in the ideal world, everyone has anti-spoofing ACLs and route map filters and what not on every link into their network.
But in the real world...given that you are going to be peering with ISPs (or their upstreams) that do not do uRPF or anything at all on their edges, if you want to drop the patently bogus traffic, or your customers don't want to pay you for delivering it to them over links they don't want congested with it, what do you do?

I guess you can say "peering links are not core", and that's fine if you run loose-uRPF there, and can be assured that all access to your network has filters on all links. I was thinking of large peering routers as part of the core of an ISP, so loose-uRPF is sufficient on those routers, if edges are protected.

But if you are going to run loose-uRPF on your peering routers, why not run it on your core? Is there a technogical reason not to? Cisco OC48 line cards not support it (at least some do.), I'm almost sure Juniper does too. But I don't play in that area.

And given that there are ISP's running it in the core; that it will block some malicious traffic; and spoofed traffic may well be used as an attack vector again (sometime people are going to have to catch on and patch machines, or worms will patch them for them, and reduce the botnet farm size. Maybe not this year, but sometime...), I still don't see why you are against it.

I accept that filtering on all edges, including peering, is a better place to do it. So do you filter on, say, peering links to other tier 1's? Even so, why not have belt AND suspender, and run it in the core?

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.