nanog mailing list archives
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
From: Erik Haagsman <erik () we-dare net>
Date: Wed, 02 Jun 2004 18:00:38 +0200
On Wed, 2004-06-02 at 17:25, Jon R. Kibler wrote:
The sad fact is that simple ingress and egress filtering would eliminate the majority of bogus traffic on the Internet -- including (D)DoS attacks.
Couldn't agree more. It would probably cut hacked zombies (and that way spam) by at least as much as DDoS traffic, in general we'd all have far less problems if ISP's would stick to simple solutions where they're needed. Although there are DoS's coming from valid IP's, 99 out of a 100 of these valid IP's are zombies hacked by using spoofed IP's so the hacker isn't traceable. Good filtering will make this a lot harder to pull off.
Why no filtering by ISPs? "Because it takes resources and only benefits the other guy" -- unless your network is the one under attack.
And this is exactly the kind of ignorant thinking that prevents us from solving the spam and DoS problems, while the exact same people can't stop complaining about the spammers and script-kiddies ruining their lunch.
Maintenance of the ACLs should not be the issue. A single ACL for each subnet would be all that would be required for egress filtering. About 30 ACLs on an inbound border router would be required for ingress filtering. Keeping the ingress ACLs current is a brain-dead task -- just subscribe to the bogon mailing list at cymru.com.
If maintenance of ACLs was a problem for large ISPs, they'd be out of business since that would imply they don't have the staff to keep their networks running, let alone well enough to actually have customers on it. I've probably heard the argument about the money it would cost and the staff it would take a million times, but the fact is that if every ISP did it's filtering, you'll see the need for troubleshooting, spamfiltering, recovering from hackers, and mitigating DoS attacks drop enormously. I'm 100% sure this would lead to lower maintenance costs, not the other way around.
ACLs have had a bad reputation for greatly slowing down routers. That may have been true in the past, but properly written ACLs do not seem to have a significant impact on most new routers. Yes, they may cut peak through-put a few percent -- but if you are running that close to the edge, it is time to upgrade anyway.
Only very small ISPs relying on 36xx's or multilayer switching instead of larger, more powerful might be still valid cases where ACL's are a problem. But those aren't the ISPs generating 80% of all useless traffic, it's the big boys that have plenty of hardware to burn that refuse to do anything about it.
IMHO, there is absolutely no excuse for not doing ingress and egress filtering.
Hear hear -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Current thread:
- Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T John Obi (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Eric Kuhnke (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Simon Lockhart (Jun 02)
- RE: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Neil J. McRae (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T jeffrey.arnold (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Iljitsch van Beijnum (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Simon Lockhart (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jon R. Kibler (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Laurence F. Sheldon, Jr. (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Andrew - Supernews (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Hank Nussbacher (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Christopher L. Morrow (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Eric Kuhnke (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Danny McPherson (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)