nanog mailing list archives
Re: Effective ways to deal with DDoS attacks?
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Mon, 6 May 2002 01:57:19 -0400
On Mon, May 06, 2002 at 05:39:05AM +0000, Christopher L. Morrow wrote:
Perhaps I'm confused (which is likely in this case) but if the traffic is being transitted by 2 or 3 as's before it gets to me through 'default' routing how am I to know it was coming?
You're talking about packets received from the internet, he's talking about packets received from your customers.
Any access-list of any length severly impacts edge performance, if it works at all, and puts the network at risk. This is not dogma, this is proven time and again on a large operational network. They are never placed for 'permanent' reasons. It is expected that customers will properly handle their traffic... yes they don't always do it, but it is expected.
It all depends on a) whats your equipment, and b) what do you define as an edge. If your edge is a T1 things are a lot different than if your edge is GigE and you have to use "core" (for the definition of core which means not providing features to compete on performance, and explaining it by telling you that you shouldn't need those features) equipment to provide it.
Compiled access lists? Wow, you are a braver man than I. My experience with them has been 'sub optimal' to say the least. Where known traffic flows and known patterns, with reasonable route table sizes, are available compiled acls work fine. The internet is none of these :(
If everyone who had been burnt by a Crisco bug in a certain feature never used that feature again, there would be no features. That said, compiled access-lists work fine for me. :)
How large is your edge? Do you have routers with +900 interfaces? Management of acls on interfaces, even if the gear were to support it, isn't feasible, nor is just dropping in an E3 card a solution, acls don't work reliably on E3 cards :( E2 cards are just as fun :( the really fun part comes with the 'limited' route table incurred with PSA acls on E2 cards!
If your vendor isn't providing you with working products, find a new vendor. I'm not going to touch that config with a 10ft cattle prod though, it better be automatically generated. That brings it down to the same level of distasteful tolerance for the good of the internet as script generated prefix lists. :) -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Current thread:
- Re: uRPF Loose Check Mode vs. ACL, (continued)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Valdis . Kletnieks (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: unicast RPF for peers viable? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 05)
- Re: Effective ways to deal with DDoS attacks? Steven W. Raymond (May 06)
- Re: Effective ways to deal with DDoS attacks? Ralph Doncaster (May 06)
- Re: Effective ways to deal with DDoS attacks? Valdis . Kletnieks (May 06)
- Re: Effective ways to deal with DDoS attacks? Ralph Doncaster (May 06)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 06)
- Re: Effective ways to deal with DDoS attacks? Steven W. Raymond (May 06)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 08)
- Message not available
- Re: Effective ways to deal with DDoS attacks? Lincoln Dale (May 05)