Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

["Alexei Roudnev" <alex () relcom net>]

This is an interestig example - looks as some protocol, saying _these are my
legal SRC addresses_, desired on customer's link.


========================================================
Because there are legitimate reasons for async routing.
DirectPC/Isat/etc. (Satelite based services) come to mind immediately.
Customers dial-up to an ISP and downstream traffic returns via the sat
connection.  Reverse-path immediately disables every one of these
customers.  Qwest deployed this on us with no notice and killed off
thousands of customers in one fell swoop.

Although I agree with the principal, the implentation needs more thought
than a simple 'turn it on for 100%'.


Eric Krichbaum


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Alexei Roudnev
Sent: Thursday, June 03, 2004 1:40 AM
To: Jon R. Kibler; nanog () merit edu
Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now
Available With AT&T


You even do not need to maintain ACL - many routers have 'back-path
verification' feature.
I wonder, why DSL and other 'consumer level' providers are not doing it
for 100% of their customers.


----- Original Message -----
From: "Jon R. Kibler" <Jon.Kibler () aset com>
To: <nanog () merit edu>
Sent: Wednesday, June 02, 2004 8:25 AM
Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now
Available With AT&T


> John Obi wrote:
> > ... since DDoS is the
> > nightmare of the internet now.
>
> The sad fact is that simple ingress and egress filtering would
> eliminate the majority of bogus traffic on the Internet -- including
> (D)DoS attacks. If all ISPs would simply drop all outbound packets
> whose source address is not a valid IP for the subnet of origin,
> and all inbound packets that do not have valid source IP addresses,
> the DDoS problem would be (for all intents and purposes) fixed. If
> proper filtering was done, then any DoS attacks would have to have
> either valid source IP addresses, or IP addresses that spoofed IPs
> within their network of origin. In either case, identifying and
> shutting down the attackers would become a greatly simplified task
> compared to the mess it is today.
>
> Why no filtering by ISPs? "Because it takes resources and only
benefits
> the other guy" -- unless your network is the one under attack.
>
> Maintenance of the ACLs should not be the issue. A single ACL for each
> subnet would be all that would be required for egress filtering. About
> 30 ACLs on an inbound border router would be required for ingress
> filtering. Keeping the ingress ACLs current is a brain-dead task --
just
> subscribe to the bogon mailing list at cymru.com.
>
> ACLs have had a bad reputation for greatly slowing down routers. That
> may have been true in the past, but properly written ACLs do not seem
> to have a significant impact on most new routers. Yes, they may cut
> peak through-put a few percent -- but if you are running that close to
> the edge, it is time to upgrade anyway.
>
> IMHO, there is absolutely no excuse for not doing ingress and egress
> filtering. In fact, if you are an ISP, I would argue that you are
> negligent in your fiduciary responsibilities to your customers and
> shareholders if you are not filtering source IP addresses.
>
> Fancy solutions may make great marketing, but simple proper router
> filtering is a very workable lower-cost solution.
>
> (Step down from soap box.) At least, that's my $0.02 worth.
>
> Jon Kibler
> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.