[nsp-sec] DDoS Chicken and Egg Problem
David Freedman
david.freedman at uk.clara.net
Wed Mar 26 15:41:45 EDT 2008
I see only three options really:
1. Getting assured delivery of BGP packets during congestion (no shaping for BGP)
2. Seperate out-of-band connection for BGP blackhole (get them to run you a FastE connection for BGP only)
3. Get another provider
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
-----Original Message-----
From: nsp-security-bounces at puck.nether.net on behalf of Jason Gardiner
Sent: Wed 3/26/2008 19:40
To: Nsp-Security
Subject: [nsp-sec] DDoS Chicken and Egg Problem
----------- nsp-security Confidential --------
Hey,
So we have some GigE feeds with an InterNAP that are rate limited. A
while back, we had a DoS attack that filled the pipe. Unfortunately the
provider is doing simple rate limiting, so BGP was caught up in the
policing and the sessions dropped.
We are running remote triggered blackhole with the provider, but the
whole exercise raised a very interesting question. How does one send
the BGP community trigger to the provider if the provider isn't doing
anything to assure that the BGP session remains stable during an
attack? I suggested exempting BGP from policing to avoid the catch-22,
but they didn't see value in doing so.
Any thoughts or recommendations would be appreciated.
--
Thanks,
Jason Gardiner
$company_name Engineering
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list