Re: Pushback?

From: Basil Kruglov (basil@cifnet.com)
Date: Sun Apr 01 2001 - 16:13:11 EDT


On Sun, Apr 01, 2001 at 02:39:15PM -0400, Christopher Neill wrote:
> rate-limiting, heh.. i can't even get qwest or exodus to apply car to my
> uplinks.. do it automatically? never.. you get DoSed, they can charge you
> for the bandwidth.. and if you do get DoSed, it must be your own fault, right?

[after running ircd, shell, and hosting happy customers with DoS-getting
"applications" for years, lessons I've learned]

*sigh*, not too many IP carriers will do filtering, car/policer.. or plain
null0 route, they all want $ off transit customers - they're in business
of selling IP transit ;) Cisco-powered NSPs rarely do this, or do on this
on indidual basis only - they might put something standard hoping you will not
bother paging someone at night or calling 5 days a day asking to modify
the set-up on their gear, which by the way could impact the performance.

What I would highly suggest is to ask them what their current policies are,
escalation procedures in similar situations, who most likely is going to
handle the issue, any kickback if it's going to start taking their network
down. Are they clueful enough to trace it back across their network to
the borders and work with their peers/transits. A lot of carriers have
"no traffic filters on backbone/peering routers" as a policy.

Essentially, the problem of all major [d]DoS attacks is rooted in the ability
to spoof packet sources. A problem that the Internet community doesn't quite
know how to solve in a scalable way. :\

Newer backbone routers are designed to work in such away that it's almost
physically impossible to track spoofed stream backwards. Interfaces are
becoming smart, and packets are bypassing the route engine to increase
capacity.

I'm sure a lot of people on this list can go on and on like, buttom
line is there is no solution to the problem, still *there is* something
all of us can do:

http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf

Placing this on inbounds could help drive away completely spoofed,
random src attacks, I can add from my own expirience only <20% of the DoS
traffic was going through to the dst, during real-life attacks.

Placing this at edge where customers are would drive the spoofed traffic
to null0, something that shouldn't be coming in in the first place.

And it's only going to get worse over time. :\ The best one could do is build
completely new IP network from the ground up with all the "right" features,
build customer base, connect to major peering points and deal directly
with your peers.

I apologize for perhaps off-topic post, just have this "been there, done that"
syndrom. Feel free to drop hate-emails off this list.

-Basil
P.S. I speak for myself and only for myself.
 
> On Mon, Apr 02, 2001 at 12:14:18AM +0800, Miguel A.L. Paraz wrote:
> > I got hit by DoS today which I got around by withdrawing a supernet and
> > announcing subnets.
> >
> > Any plans to implement "pushback" or similar? (A protocol to request to the
> > upstream or peer to do rate limiting)
> >
>
> --
> $Id: .sig,v 1.42 2001/03/21 19:34:35 noise Exp $
> <oof> the point you're getting at is counterproductive ravi
> <oof> since none of our behavior can be rationalized



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:34 EDT