[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DDoS Mitigation Survey

To: opsec@ops.ietf.org
Subject: Re: DDoS Mitigation Survey
From: John Kristoff <jtk@northwestern.edu>
Date: Sun, 6 Mar 2005 19:46:35 -0600
In-reply-to: <20050306194147.19e256c0@dsl017-022-068.chi1.dsl.speakeasy.net>
References: <7292b2bc431edcb959cb286e620243ed@merike.com> <20050306194147.19e256c0@dsl017-022-068.chi1.dsl.speakeasy.net>

One other thing I forgot to mention...

Source-specific based rate limiting or queueing.  This is not widely
deployed, but I've used it and tried various approaches on various
occasions with some success.  This is more appropriate at the stub
subnet edges, but can be used at campus borders also if the hardware
doing the prefix matching and limiting/queueing is up to the job.

The basic idea with this approach is try to reduce the impact any
source address has on an aggregate.  Ideally with the queueing approach,
in times where capacity is plentiful, a host could use as much as they
want, perhaps it is even a DoS, but as others contend for the link,
traffic above the threshold from specific sources is dropped first.
In the rate limiting case, this just turns whatever link speed the
end user has into something less.  This works best at an aggregate
upstream so that traffic is rate limited within a so-called trusted
zone.

John

References:
- DDoS Mitigation Survey
  - From: Merike Kaeo <kaeo@merike.com>
- Re: DDoS Mitigation Survey
  - From: John Kristoff <jtk@northwestern.edu>

Prev by Date: Re: DDoS Mitigation Survey
Next by Date: RE: FW: Filtering Capabilities for IP Network Infrastructure
Previous by thread: Re: DDoS Mitigation Survey
Next by thread: RE: DDoS Mitigation Survey
Index(es):
- Date
- Thread