nanog mailing list archives
Re: Over a decade of DDOS--any progress yet?
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 6 Dec 2010 10:40:20 -0500
On Dec 6, 2010, at 10:34 AM, David Ulevitch <david () ulevitch com> wrote:
On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick () ianai net> wrote:On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:Besides having *alot* of bandwidth theres not really much you can do to mitigate. Once you have the bandwidth you can filter (w/good hardware). Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong.I think this is only true if you run your BGP session on a different path (or have your provider pin down a static route).
You are assuming many things - such as the fact bgp is used at all. But yes, of course you have to ensure the attack traffic does not move when you get attacked or you end up with a domino effect that takes out your entire infrastructure.
But as you and others have pointed out, not a lot of defense against DDoS these days besides horsepower and anycast. :-)
Not just anycast. I said distributed architecture. There are more ways to distribute than anycast. Not everything is limited to 13 IP addresses at the GTLDs, David. :-) -- TTFN, patrick
Current thread:
- Over a decade of DDOS--any progress yet? Sean Donelan (Dec 05)
- Re: Over a decade of DDOS--any progress yet? Blake Dunlap (Dec 06)
- Re: Over a decade of DDOS--any progress yet? Jonas Frey (Probe Networks) (Dec 06)
- Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 06)
- Re: Over a decade of DDOS--any progress yet? David Ulevitch (Dec 06)
- Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 06)
- Re: Over a decade of DDOS--any progress yet? Sean Donelan (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Paul Ferguson (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 06)
- Re: Over a decade of DDOS--any progress yet? bmanning (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)