Re: DDoS Mitigation Survey

["Christopher L. Morrow" <christopher.morrow@mci.com>]

On Sun, 6 Mar 2005, Merike Kaeo wrote:

> I am looking for added input to my initial isp security practices
> draft.  Specifically I'd like to make sure the 01 version will have
> clear information regarding what techniques are deployed for DDoS
> mitigation.   The following questions need some resolution.....
>
> - Where does loose vs strict uRPF get used?

(note that we don't use uRPF at all... except for 3 current cases)

Loose should provide you the ability to 'anti-spoof' a customer link,
where 'anti-spoof' would mean: "drop anything not in the global table, or
which has an adjacency which is 'discard'" (discard/null/bad/reject...
invalid) This seems nice, but the trade-off isn't something I see
worthwhile if your gear can't do this in hardware. uRPF can be very, very
dangerous on software based platforms :(

Strict, ideally, would be VERY nice on staticly routed customers. We DO,
though, see often custoemrs that are static'd from us, and static'd from
'att' and who default out both serial links :( This causes uRPF drops when
there shouldn't be drops... Yes, these customers are being dumb, yes
someone should teach them a lesson, yes their "Internet drivers license
should be revoked", but no one has the time for that event.

Hence, no strict uRPF either, plus most lowerend connected customers are
on gear which is likely to have mostly software-switched parts :(

> - Why would loose uRFP not be used?

Questionable value, high 'cost' on platforms without ASIC support.
Dropping packets with routing flaps/churn... likely this would be horridly
difficult to diagnose as a problem too :(

> - What (if any) is problem with using remotely triggered blackhole
> routing?

none... except keeping customers informed that they CAN, and SHOULD.

> - Where does destination based vs source based triggered blackhole
> routing get used?

Hrm. I'd be tempted to use souce-based in combination with uRPF on my
customer-side link. I could drop all 'bad' sources into a route-server,
announce internally and reset next-hop to null, then use uRPF on my
ingress interfaces to drop these sources before they could get to my
internal gear... at a faster clip than acls, and it'd keep the acls more
'functional' and 'short' (hopefully).

Destination blackholing works 'everywhere' and should be used if at all
possible for destinations you don't care about losing in a battle.

> - Do triggers usually get deployed based on traffic filters to all
> routers or are they BGP community based?

The ability to run around to 100,000 edge interfaces and 'acl' is mostly
non-existent, atleast not in any sort of trustworthy way :) So, bgp gets
you this filtering capability quickly, easily and trustworthi-ly...
Allowing either 'customer support' to initiate this function for
customers, or allowing customers to do this via BGP updates is quite
handy.

> - Where are prefix filters vs AS filters used?  Why?

On all customer links we use both AS and prefix, the AS filters mostly
drop 'bad asn' sets or combos... prefix filters we use to insure customers
don't do dumb things like announce routes they don't own :) (as7007-like
things for instance)

> - Any other DDoS mitigation techniques which are deployed today?
>

mitigation services via purpose built devices (riverhead/cisco for
instance)

> I had some info from initial survey and am sifting through NANOG
> archives since some of these issues have been discussed there.
> However, would appreciate any discussion or insights on this list from
> folks that are deploying these techniques and are able to comment
> publicly.
>
> - merike
>
>