[c-nsp] Sup2T interface ACL limitations

Dobbins, Roland rdobbins at arbor.net
Mon Dec 16 20:13:34 EST 2013


On Dec 17, 2013, at 6:33 AM, Rolf Hanßen <nsp at rhanssen.de> wrote:

> My fear is that somebody creates blackholes in my network with spoofed source IPs.

Nobody can create blackhole routes on your network than you - or else you have much bigger problems, heh.

This issue applies to S/RTBH or any other mitigation mechanism.  You whitelist things which oughtn't ever to be blocked, and then vet sources/destinations before blackholing them.

> I think this is a potential damage amplifier and may cause much bigger impact than a flooding itself could ever do.

If you misuse it, sure.  But this is not a new technique, it's been in use for many years.  Nothing's perfect; the idea is to exercise caution.

> I could black/whitelist something like 8.8.8.8, but I think there is no chance to build a list that will ever be sufficient for blackholing
> sources.

Other operators can do it - why can't you?

> I furthermore think I will run into problems as soon as I block anything from source xy in the complete network, i.e. also for customers that do
> not want their traffic to be filtered at all.

If attack traffic is ingressing your network, then you've every right and in fact responsibility to mitigate it, let it cause issues for your network and your customers.  There are many mitigation mechanisms; S/RTBH is just one of them.

You can set up S/RTBH with communities, controlling where traffic is dropped - all edges, all peers, all customers, some edges, some peers, some customers, etc.

You can also build a mitigation center and divert traffic headed for attack targets into that mitigation center. You can enable S/RTBH on the coreward interfaces of the mitigation center gateway, and drop traffic via S/RTBH there - i.e., only for the specific target under attack.  There are other things you can do there, too:

<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>

None of this stuff is theoretical; they're proven techniques.  Rather than making the perfect the enemy of the merely good, it might be a good idea to assemble a toolbox of various tools, and utilize them if and as necessary.

ACLs aren't feasible for DDoS mitigation for many reasons.  S/RTBH is a very useful tool to have in the toolbox.  All tools must be used with caution and good sense, let we bruise our thumbs.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list