nanog mailing list archives
Fair Queuing combats DDoS? [was Re: Yahoo! Lessons Learned ]
From: Alex Bligh <amb () gxn net>
Date: Thu, 10 Feb 2000 16:33:30 +0000
Vadim, Vadim Antonov wrote:
Just a thought - strict RPF at all ingress points, in combination with Fair Queueing keyed on something like 24 high-order bits of source IP address in transit routers would render any high-rate flooding attack pretty much harmless.
If you are talking FQ, as the source addresses are usually forged and thus random, don't you want to key on the *destination* address? Or are you only aiming at reflected attacks? Fair Queuing is useful in this manner not only on interconnect with other providers (transit / peering / customers so multihomed to be difficult to RPF) but also perhaps on interfaces connected to customers. Not all attacks are forged source. Attacks with true source addresses from comprimized servers would be mitigated by the fair queuing you describe on the router interface. One minor problem here is that Fair Queuing (as I understand it) only drops packets if the egress interface to which it is applied gets full. So *my* applying fair queuing to all interfaces at an exchange point doesn't help me if X's MAE-East router is squirting and extra 50Mb/s of traffic at me, enough to fill my port, but not X's - this is true also evn if *everyone* at the IXP applies FQ. So alternative is CEF/CAR like behaviour which would limit (not queue) traffic to any particular IP address within one given rate-limit matching clause to a specific rate. It's dead easy to make exceptions to this for specific IPs. I'm sure getting people to deploy this universally will be just as easy as persuading them to deploy ingress filtering universally and turning off directed broadcast universally (cough cough). -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)
Current thread:
- Re: Yahoo! Lessons Learned, (continued)
- Re: Yahoo! Lessons Learned Daniel Senie (Feb 09)
- Re: Yahoo! Lessons Learned Charles Sprickman (Feb 09)
- Re: Yahoo! Lessons Learned Randy Bush (Feb 09)
- Re: Yahoo! Lessons Learned Andrew Brown (Feb 09)
- Re: Yahoo! Lessons Learned Randy Bush (Feb 09)
- RE: Yahoo! Lessons Learned Charley Kline (Feb 10)
- Re: Yahoo! Lessons Learned robert (Feb 09)
- Re: Yahoo! Lessons Learned Randy Bush (Feb 09)
- Re: Yahoo! Lessons Learned Joe Shaw (Feb 09)
- Fair Queuing combats DDoS? [was Re: Yahoo! Lessons Learned ] Alex Bligh (Feb 10)
- FBI / NIPC released a DDoSD detection tool? Rodney Caston (Feb 10)
- RE: FBI / NIPC released a DDoSD detection tool? Roeland M.J. Meyer (Feb 10)
- RE: FBI / NIPC released a DDoSD detection tool? Ryan Tucker (Feb 10)
- RE: FBI / NIPC released a DDoSD detection tool? NANOG Mailing List (Feb 10)
- RE: FBI / NIPC released a DDoSD detection tool? Patrick Evans (Feb 10)
- C Source for RE: FBI / NIPC released a DDoSD detection tool? Larry Snyder (Feb 10)