nanog mailing list archives
Re: ddos attacks
From: Saku Ytti <saku () ytti fi>
Date: Fri, 20 Dec 2013 10:27:21 +0200
On (2013-12-20 03:24 +0000), Dobbins, Roland wrote:
I think ipv4 udp is just going to become operationally deprecated. Too much pollution. It is really an epic amount of trash / value ratio in ipv4 udp.This isn't a realistic viewpoint.
What are realistic options? a) QUIC and MinimaLT - 0 RTT overhead, like UDP - no reflection attacks, like TCP - all traffic encrypted - parity packets to match packet loss to avoid need for resends (QUIC) - non-bursty via packet pacing - solution for buffer bloat (packet pacing can be affected by changing latency) (QUIC) - CPU hit, encryption isn't free, but shouldn't be issue today - mobility, IP is not needed to recognize end-point, you can hop from WLAN to 4G without disconnecting b) ACL between transit provider and transit customer - <50k ports to configure in whole world to make UDP reflection useless DoS vector c) ACL/RPF in significant portion of access ports in whole world - i'm guessing significant portion of access ports are on autopilot with no one to change their configs, so probably not practical.
----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
-- ++ytti
Current thread:
- Re: ddos attacks, (continued)
- Re: ddos attacks Dobbins, Roland (Dec 19)
- Re: ddos attacks Tore Anderson (Dec 19)
- Re: ddos attacks Lee Howard (Dec 19)
- Re: ddos attacks Jon Lewis (Dec 19)
- Re: ddos attacks John Kristoff (Dec 19)
- Re: ddos attacks Edward Lewis (Dec 19)
- Re: ddos attacks cb.list6 (Dec 19)
- Re: ddos attacks Dobbins, Roland (Dec 19)
- Re: ddos attacks cb.list6 (Dec 19)
- Re: ddos attacks Dobbins, Roland (Dec 19)
- Re: ddos attacks Saku Ytti (Dec 20)
- Re: ddos attacks Dobbins, Roland (Dec 20)