nanog mailing list archives
Re: Over a decade of DDOS--any progress yet?
From: Thomas Mangin <thomas.mangin () exa-networks co uk>
Date: Wed, 8 Dec 2010 15:10:37 +0000
A less common action is to use flowspec (if you have some Juniper gear) to drop only the attack and hopefully not any legitimate traffic. What is really missing atm is a way to filter flowspec announcements (limit the number and make sure they are for routes the peer is announcing). Until this is sorted I believe flowspec will be a marginal solution. Thomas PLUG: http://code.google.com/p/exabgp/ On 8 Dec 2010, at 13:46, alvaro.sanchez () adinet com uy wrote:
A very common action is to blackhole ddos traffic upstream by sending a bgp route to the next AS with a preestablished community indicating the traffic must be sent to Null0. The route may be very specific, in order to impact as less as possible. This needs previous coordination between providers. Regards.----Mensaje original---- De: rdobbins () arbor net Fecha: 08/12/2010 10:53 Para: "North American Operators' Group"<nanog () nanog org> Asunto: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:One big problem (IMHO) of DDoS is that sources (the host ofbotnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.The technology exists to detect and classify this attack traffic, andis deployed in production networks today.And of course, the legitimate owners of the botted hosts aregenerally unaware that their machine is being used for nefarious purposes.In the other hand the target of a DDoS cannot do anything to stopto attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.Actually, there're lots of things they can do.I know that this has many security concerns, but would it be gooda signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.It already exists. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
Current thread:
- Re: Over a decade of DDOS--any progress yet?, (continued)
- Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
- RE: Over a decade of DDOS--any progress yet? George Bonser (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Lamar Owen (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Rich Kulawiec (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Valdis . Kletnieks (Dec 09)
- RE: Over a decade of DDOS--any progress yet? Drew Weaver (Dec 08)
- Re: Over a decade of DDOS--any progress yet? jim deleskie (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Joel Jaeggli (Dec 14)
- Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- RE: Over a decade of DDOS--any progress yet? Drew Weaver (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Jack Bates (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Jeffrey Lyon (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Jack Bates (Dec 08)
- RE: Over a decade of DDOS--any progress yet? Drew Weaver (Dec 08)
- RE: Over a decade of DDOS--any progress yet? Randy McAnally (Dec 08)