nanog mailing list archives
Re: engineering --> ddos and flooding
From: Valdis.Kletnieks () vt edu
Date: Mon, 04 Jun 2001 14:53:09 -0400
On Mon, 04 Jun 2001 12:20:41 EDT, Paul Johnson <pjohnson () bosconet org> said:
Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their networks in such a way that it can never DoS a T-1 (or E-1 if you are not in the US). [note: I'm not sure if ciso's are up for this workload since I primarily work with Juniper.]
Hmm.. I'd be *REALLY* unhappy if our upstream decided to rate-limit SYN packets to prevent a DoS of a T-1, since the smallest pipe we have deployed is in the OC-3 category. The problem is that a *distributed* DOS effectively bypasses this sort of check - you have (for instance) 1000 zombie machines, each contributing only a few packets per second. So none of THEM gets filtered. Each ISP may have only 3-4 zombies, so even aggregated they don't trigger a filter. Nothing trips a filter, until it gets loose inside a Tier-1, with traffic converging on one outbound pipe to the victim from 8 or 10 different peering points. And at THAT point, it's too late. Valdis Kletnieks Operating Systems Analyst Virginia Tech
Current thread:
- Re: engineering --> ddos and flooding, (continued)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 01)
- Re: engineering --> ddos and flooding Christopher A. Woodfield (Jun 01)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Hank Nussbacher (Jun 03)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 04)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 04)
- Re: engineering --> ddos and flooding Valdis . Kletnieks (Jun 04)
- Re: engineering --> ddos and flooding Dan Hollis (Jun 04)
- RE: engineering --> ddos and flooding Hank Nussbacher (Jun 04)
- RE: engineering --> ddos and flooding Richard A. Steenbergen (Jun 04)