[c-nsp] BGP DFZ convergence time - FIB programming

Gert Doering gert at greenie.muc.de
Sat Oct 13 17:17:21 EDT 2018


Hi,

On Sat, Oct 13, 2018 at 11:01:28PM +0200, Robert Raszuk wrote:
> > Sounds standard practice.
> 
> This way of (D)DoS mitigation results with cutting the poor target
> completely out of the network ... So the attacker succeeded very well with
> your assistance as legitimate users can not any more reach the guy. Is it
> his fault that he got attacked ?

No, but sometimes there is no other remedy.  Like, a customer has a 
larger network (say, IPv4 /23), and a single IP is attacked, filling
his pipe.  If you drop that single address, the rest of the network
can operate normally.

Would it be better to stop the attack without taking the target host
offline?  Of course!


[..]
> Did you ever instead of the above considered automation to apply at least
> src-dst + ports filters with Flow Spec and just rate limit the malicious
> distributed flows  (rfc5575) ?

Indeed, this would be superiour, but not all our hardware can do this,
and (as far as I'm aware) none of our upstream providers support this - so
if we cannot stand the volume anymore (upwards of ~50 Gbit/s), all we
can do is signal upstream "please do not deliver traffic to that target
IP"...

(What we do is rate-limit all the cheap crap, like NTP, fragments, DNS
responses to not white-listed well-known recursor addresses, to reasonable
limits - so as long as our ingress pipes are not full, we do not blackhole
destination addresses.)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20181013/f69bb166/attachment-0001.sig>


More information about the cisco-nsp mailing list