North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: New Solution: (was: Re: Counter DoS)
- From: James
- Date: Thu Mar 11 23:39:56 2004
the thing is though, by allowing any /32's... what prevents
/all/ customers from abusing it by curiosity of what would
the fact that you are allowing any /32's (up to 100 or whatever
max prefix lim. you set) is like giving a can of worms to your
customers. i don't think its even worth the effort to bother when
you have more than couple customers abusing it
security for one, SLA for the other, thirdly i just don't trust
customers injecting routes into my backbone w/o telling us.
i don't think bgp or a routing protocol is the right way to solve
infected-machines participating in ddos nets.
On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
> Here is a solution I would like to propose -- it is not as
> set-and-forget as network operators like, but we do know that some of
> our customers have a lot of expertise with this stuff, and taking
> advantage of that value helps. This is along the categories of
> collateral damage, scorched earth and generally punitive action for
> DDOS-compromised hosts. Because not everyone will read every line, I am
> going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT
> AWAY FROM THEM. This will be backfire if its used for Spam blackholes,
> it will really only have an affect in the narrower DDOS space.
> Along with the idea of blackhole communities. I do NOT recommend it be
> turned on across-the-board for every customer, and once it has reached
> penetration, say 20-30% of the internet backbones use this feature -- it
> should be phased back and only be an ICB item. (called Planned Obl.)
> Just like the blackhole community routes, certain /32's (only, nothing
> shorter) can be exported from the customer to the backbone to be
> blackholed at the edges. The twist, is that instead of limited the
> customer announcement to the customer's IPs, you force only /32s to be
> announced for the blackhole prefixes and limit the total number of
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
> So say, joe-customer has identified his top 50 DDOS sources, he
> announces them to you, voila, DDOS gone. (even for spoofed traffic,
> depending on how your filters are set up) Obviously these would be
> no-export routes so no peer need be worried.
> The theory - It creates an actual, measured response to customer
> machines being vulnerable. It makes parts ( ideally large parts ) of the
> internet unavailable to those with vulnerable computers.
> The bad side - People could black hole important sites, until the
> ALL-CAPS rule is applied.
> The somewhat less bad, bad side - Most of these /32s wouldn't be removed
> until cable provider called the blackholing provider.
> The reality is that these filters are probably created today by backbone
> security folks, so the question is how fast you want the
> IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.
James Jun TowardEX Technologies, Inc.
Technical Lead Network Design, Consulting, IT Outsourcing
email@example.com Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net