[c-nsp] Nice EEM applet to protect against certain DDoS situations (sup720)

Dobbins, Roland rdobbins at arbor.net
Sun Aug 8 21:25:33 EDT 2010


On Aug 9, 2010, at 2:47 AM, bas wrote:

> And now imagine if I were a bad guy that has control over 50 compromised servers in networks that do not filter
> outbound spoofed traffic.


We don't have to imagine it; this is a quite common scenario, except that the attacker has 5K or 50K or 500K bots in his particular botnet, heh.

S/RTBH isn't limited to /32s; I've used it to deal with quite distributed spoofed attacks, sometimes blocking wide swathes of traffic until working with peers/upstreams to get the attack traffic blocked nearer its actual sources begins to have a salutary effect.  Again, the concept of partial service recovery holds true; being up for some percentage of legitimate users vs. being down for 100% of legitimate users is a 100% improvement.

No tool is perfect, it's just useful to have options.  Even if you end up blocking the destination and thus completing the DDoS for the attacker, doing that with S/RTBH (it works for both sources and destinations) obviates control-plane issues.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken






More information about the cisco-nsp mailing list