[nsp-sec] DDoS Chicken and Egg Problem

Barry Greene (bgreene) bgreene at cisco.com
Wed Mar 26 16:48:04 EDT 2008 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


To me this is not a chicken and an egg problem. It is a problem with not
deploying Diffserv Phase 0 as a core security tool. Any packet coming
into your network needs to have the DSCP value reset to 0 unless there
is an explicit contract/service which requires it to be another value. 

Control Plane traffic (i.e. in your case - BGP) is a explicit contract,
allowing for DCSP values of 48 (Routing protocols)  and 56 (SSH).

 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Jason Gardiner
> Sent: Wednesday, March 26, 2008 12:40 PM
> To: Nsp-Security
> Subject: [nsp-sec] DDoS Chicken and Egg Problem
> 
> ----------- nsp-security Confidential --------
> 
> Hey,
> 
> So we have some GigE feeds with an InterNAP that are rate 
> limited.  A while back, we had a DoS attack that filled the 
> pipe.  Unfortunately the provider is doing simple rate 
> limiting, so BGP was caught up in the policing and the 
> sessions dropped.
> 
> We are running remote triggered blackhole with the provider, 
> but the whole exercise raised a very interesting question.  
> How does one send the BGP community trigger to the provider 
> if the provider isn't doing anything to assure that the BGP 
> session remains stable during an attack?  I suggested 
> exempting BGP from policing to avoid the catch-22, but they 
> didn't see value in doing so.
> 
> Any thoughts or recommendations would be appreciated.
> 
> --
> Thanks,
> 
> Jason Gardiner
> $company_name Engineering
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for 
> effective Internet security counter-measures.
> _______________________________________________
> 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR+q2hL/UEA/xivvmEQJyqQCg438BOfj/tzCKdSjmt93j33tCaDYAoOVU
lPvDEvwwNa+AMxUO3XVCcus6
=VS8n
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list