Fair Queuing combats DDoS? [was Re: Yahoo! Lessons Learned ]

[Alex Bligh <amb () gxn net>]

Vadim,

Vadim Antonov wrote:
> Just a thought - strict RPF at all ingress points,
> in combination with Fair Queueing keyed on something
> like 24 high-order bits of source IP address in
> transit routers would render any high-rate flooding
> attack pretty much harmless.

If you are talking FQ, as the source addresses are
usually forged and thus random, don't you want to
key on the *destination* address? Or are you
only aiming at reflected attacks?

Fair Queuing is useful in this manner not only on
interconnect with other providers (transit / peering / customers
so multihomed to be difficult to RPF) but also perhaps on
interfaces connected to customers. Not all attacks are
forged source. Attacks with true source addresses from
comprimized servers would be mitigated by the fair
queuing you describe on the router interface.

One minor problem here is that Fair Queuing (as I understand it)
only drops packets if the egress interface to which it is applied
gets full. So *my* applying fair queuing to all interfaces
at an exchange point doesn't help me if X's MAE-East
router is squirting and extra 50Mb/s of traffic at me,
enough to fill my port, but not X's - this is true also
evn if *everyone* at the IXP applies FQ.

So alternative is CEF/CAR like behaviour which would limit
(not queue) traffic to any particular IP address within
one given rate-limit matching clause to a specific
rate. It's dead easy to make exceptions to this for
specific IPs.

I'm sure getting people to deploy this universally will
be just as easy as persuading them to deploy ingress
filtering universally and turning off directed broadcast
universally (cough cough).

-- 
Alex Bligh
VP Core Network, Concentric Network Corporation
(formerly GX Networks, Xara Networks)