[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DDoS Mitigation Survey



On Sun, 6 Mar 2005, Merike Kaeo wrote:
I am looking for added input to my initial isp security practices draft. Specifically I'd like to make sure the 01 version will have clear information regarding what techniques are deployed for DDoS mitigation. The following questions need some resolution.....

These are good questions -- I haven't seen these much discussed on other fora, so maybe this is as good as any..


- Where does loose vs strict uRPF get used?

We don't use loose at all; we use strict toward all the customers.

- Why would loose uRFP not be used?

Honestly, what is the benefit of loose uRPF?

I guess folks run it towards upstreams and peers. It certainly won't have any use towards customers.

Is the motivation that you can drop 50% of the DDoS attack w/ spoofed addresses, from unrouted address space? Even if you reduce a big attack by half, it's still going to be destructive so I don't see much point. On the other hand, it drops valid packets from the direction of upstreams (in particular) if someone's routing advertisement is flapping.

- What (if any) is problem with using remotely triggered blackhole routing?
- Where does destination based vs source based triggered blackhole routing get used?
- Do triggers usually get deployed based on traffic filters to all routers or are they BGP community based?

We haven't found enough use for none of these, so haven't bothered to implement them.


- Where are prefix filters vs AS filters used? Why?

AS filters towards peers, because prefix filters would take O(10K+) lines of router config -- not good (visually). Prefix filters toward BGP customers.


- Any other DDoS mitigation techniques which are deployed today?

We have a set of customize rate-limiters which limit the rate of SYN, small UDP, ICMP, etc. floods automatically. These classify the traffic to roughly 10-20 different categories based on L3-L4 data and packet lengths and apply different limiters to some of them. Even if an attack with one category happens (and is limitered), the rest continue to work OK.


These cull out the biggest attacks automatically, but these are still pilot (has been for 1.5 years now) because it's not certain what impacts this has on the legitimate traffic. Nobody has complained yet though..

We'd also like to use Juniper's "prefix-based policers" *) to protect the customers from internet-originated DDoS attacks (so that their cheapo firewalls and routers could handle the floods better) but the implementation doesn't work reasonably with non-contiguous prefixes so we can't.

*) http://www.juniper.net/techpubs/software/junos/junos71/swconfig71-policy/html/policer-config9.html#1046287

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings