Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Solution: (was: Re: Counter DoS)

  • From: James
  • Date: Thu Mar 11 23:39:56 2004

	the thing is though, by allowing any /32's... what prevents
	/all/ customers from abusing it by curiosity of what would
	happen? :)

	the fact that you are allowing any /32's (up to 100 or whatever
	max prefix lim. you set) is like giving a can of worms to your
	customers. i don't think its even worth the effort to bother when
	you have more than couple customers abusing it

	security for one, SLA for the other, thirdly i just don't trust
	customers injecting routes into my backbone w/o telling us.

	i don't think bgp or a routing protocol is the right way to solve
	infected-machines participating in ddos nets.


On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
> Here is a solution I would like to propose -- it is not as 
> set-and-forget as network operators like, but we do know that some of 
> our customers have a lot of expertise with this stuff, and taking 
> advantage of that value helps. This is along the categories of 
> collateral damage, scorched earth and generally punitive action for 
> DDOS-compromised hosts. Because not everyone will read every line, I am 
> going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT 
> AWAY FROM THEM. This will be backfire if its used for Spam blackholes, 
> it will really only have an affect in the narrower DDOS space.
> Along with the idea of blackhole communities. I do NOT recommend it be 
> turned on across-the-board for every customer, and once it has reached 
> penetration, say 20-30% of the internet backbones use this feature -- it 
> should be phased back and only be an ICB item. (called Planned Obl.)
> Just like the blackhole community routes, certain /32's (only, nothing 
> shorter) can be exported from the customer to the backbone to be 
> blackholed at the edges. The twist, is that instead of limited the 
> customer announcement to the customer's IPs, you force only /32s to be 
> announced for the blackhole prefixes and limit the total number of 
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
> So say, joe-customer has identified his top 50 DDOS sources, he 
> announces them to you, voila, DDOS gone. (even for spoofed traffic, 
> depending on how your filters are set up) Obviously these would be 
> no-export routes so no peer need be worried.
> The theory - It creates an actual, measured response to customer 
> machines being vulnerable. It makes parts ( ideally large parts ) of the 
> internet unavailable to those with vulnerable computers.
> The bad side - People could black hole important sites, until the 
> ALL-CAPS rule is applied.
> The somewhat less bad, bad side - Most of these /32s wouldn't be removed 
> until cable provider called the blackholing provider.
> The reality is that these filters are probably created today by backbone 
> security folks, so the question is how fast you want the 
> injections/rejections.
> Comments?
> Deepak

James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: , noc:

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.