[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DDoS Mitigation Survey
On Sun, 6 Mar 2005, Merike Kaeo wrote:
I am looking for added input to my initial isp security practices draft.
Specifically I'd like to make sure the 01 version will have clear information
regarding what techniques are deployed for DDoS mitigation. The following
questions need some resolution.....
These are good questions -- I haven't seen these much discussed on
other fora, so maybe this is as good as any..
- Where does loose vs strict uRPF get used?
We don't use loose at all; we use strict toward all the customers.
- Why would loose uRFP not be used?
Honestly, what is the benefit of loose uRPF?
I guess folks run it towards upstreams and peers. It certainly won't
have any use towards customers.
Is the motivation that you can drop 50% of the DDoS attack w/ spoofed
addresses, from unrouted address space? Even if you reduce a big
attack by half, it's still going to be destructive so I don't see much
point. On the other hand, it drops valid packets from the direction
of upstreams (in particular) if someone's routing advertisement is
flapping.
- What (if any) is problem with using remotely triggered blackhole routing?
- Where does destination based vs source based triggered blackhole routing
get used?
- Do triggers usually get deployed based on traffic filters to all routers or
are they BGP community based?
We haven't found enough use for none of these, so haven't bothered to
implement them.
- Where are prefix filters vs AS filters used? Why?
AS filters towards peers, because prefix filters would take O(10K+)
lines of router config -- not good (visually). Prefix filters toward
BGP customers.
- Any other DDoS mitigation techniques which are deployed today?
We have a set of customize rate-limiters which limit the rate of SYN,
small UDP, ICMP, etc. floods automatically. These classify the
traffic to roughly 10-20 different categories based on L3-L4 data and
packet lengths and apply different limiters to some of them. Even if
an attack with one category happens (and is limitered), the rest
continue to work OK.
These cull out the biggest attacks automatically, but these are still
pilot (has been for 1.5 years now) because it's not certain what
impacts this has on the legitimate traffic. Nobody has complained yet
though..
We'd also like to use Juniper's "prefix-based policers" *) to protect
the customers from internet-originated DDoS attacks (so that their
cheapo firewalls and routers could handle the floods better) but the
implementation doesn't work reasonably with non-contiguous prefixes so
we can't.
*)
http://www.juniper.net/techpubs/software/junos/junos71/swconfig71-policy/html/policer-config9.html#1046287
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings