[c-nsp] Nice EEM applet to protect against certain DDoS situations (sup720)
bas
kilobit at gmail.com
Sun Aug 8 04:25:00 EDT 2010
Hi Roland,
On Sun, Aug 8, 2010 at 7:21 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Aug 8, 2010, at 5:18 AM, bas wrote:
>
>> And then decided to remove the IP address from the server (or shut it down)
>
>
> Why not S/RTBH or IDMS or even ACLs, instead of completing the DDoS for the attacker? Any of those techniques wouldn't result in high CPU on your infrastructure.
ACL's are manual and not dynamic when we need them. Also ACL's do not
scale with many (spoofed) source addresses.
S/RTBH does prevent high CPU, but there are a two deal-breakers.
1. When source addresses are dropped at the network edge, and the
attacker uses spoofed source addresses there will be a lot of
colateral damage when traffic of "real" users, whose IP addresses are
spoofed, is dropped.
2. Our (dedicated server) customers receive quite a lot of SYN floods.
There are days that there might be 20 or more. Most of these SYN
floods are only a couple of mbit/s and do not hurt the network or
other customers. We do not want to interfere in case the server admin
battles the SYN floods themselves.
IDMS
heh.. I didn't know that acronym.
It seems it is an Arbor concoction?
We had peakflow SP for a test, it worked well, but it did not fit our
network/budget.
Bas
More information about the cisco-nsp
mailing list