[c-nsp] Modern BGP peering border router and DDoS attack defe nse
recommendations?
David J. Hughes
bambi at Hughes.com.au
Tue Jun 14 05:25:29 EDT 2005
On 14/06/2005, at 7:13 PM, Tantsura, Jeff wrote:
> There is no way you could ACL a proper setup DDoS without impacting
> your
> customers. Imagine - web based VIP customer is getting instead of
> usual 1K
> connections per second 10K, how would you ACL 9k of zombies?
> IMHO this could only be done with a long term analysis of what is
> normal or
> abnormal to those specific hosts + traffic scrubbing.
Couldn't agree with you more. However, from our experience, very few
DOS attacks are properly setup. In fact, most of them aren't very
distributed at all. Maybe a couple of hundred source addresses. We
have found that simple ASIC based L3 filtering has either totally
countered or at least significantly reduced the impact of the vast
majority of DDoS attacks we've seen.
I didn't say it was perfect, but it does get you quite a lot of
protection. To scrub the data you need to be 100% sure that your
border routers can withstand whatever packet rate the attack eventually
produces - and you never know what that rate will be. If you can't
cope, and your borders start falling over, the single client that is
the attack target will be the least of your problems.
David
...
More information about the cisco-nsp
mailing list