[c-nsp] Nice EEM applet to protect against certain DDoS situations (sup720)
Dobbins, Roland
rdobbins at arbor.net
Sun Aug 8 21:25:33 EDT 2010
On Aug 9, 2010, at 2:47 AM, bas wrote:
> And now imagine if I were a bad guy that has control over 50 compromised servers in networks that do not filter
> outbound spoofed traffic.
We don't have to imagine it; this is a quite common scenario, except that the attacker has 5K or 50K or 500K bots in his particular botnet, heh.
S/RTBH isn't limited to /32s; I've used it to deal with quite distributed spoofed attacks, sometimes blocking wide swathes of traffic until working with peers/upstreams to get the attack traffic blocked nearer its actual sources begins to have a salutary effect. Again, the concept of partial service recovery holds true; being up for some percentage of legitimate users vs. being down for 100% of legitimate users is a 100% improvement.
No tool is perfect, it's just useful to have options. Even if you end up blocking the destination and thus completing the DDoS for the attacker, doing that with S/RTBH (it works for both sources and destinations) obviates control-plane issues.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list