[nsp-sec] DDoS Chicken and Egg Problem

Wed Mar 26 17:28:43 EDT 2008

Yes, all routers need to use reserved queues inside the router to make
sure you don't tail drop control packets. You have two options - use
DSCP (control point 48) or set up another pre-classification scheme
match on the BGP packet and pull it off the data plane (expensive). 

The first option is the one we've been using in the - where the BGP
packets leaving the router are set to DSCP 48 (prec 6). Routers can then
use this for QOS on the links and inside the router.

The problem with all of this is we're not resetting DSCP on the edge.
Imaging BOTs sending out all their packets with DSCP 48. Really easy way
to tail drop control plane packets.

Note, back in 1998 we had a couple of Australian ISPs goes off line from
their BGP sessions dropping across the Pacific. The root cause was a
couple of porn sites who set their outbound packets to be prec 7,
thinking that it would make their porn go faster. It didn't. It just
filled up the SPD queues and tail dropped BGP - flapping the session. So
if someone who was clueless trigged this problem because they wanted
their porn to go faster, think of what would happen if they were
intentionally trying to cause havoc?

Key point, ask what your vendors do inside their equipment to keep
control plane packets from tail dropping (at test it). 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Kevin Oberman
> Sent: Wednesday, March 26, 2008 2:07 PM
> To: David Freedman
> Cc: nsp-security at puck.nether.net; Johnson, Ron
> Subject: Re: [nsp-sec] DDoS Chicken and Egg Problem
> 
> ----------- nsp-security Confidential --------
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR+rACr/UEA/xivvmEQJiEACgo/AAT0rNuDb7qrh9nPNzNVqipCUAn3YM
4X6yp4xY9tOdoJVZTHfmTdjf
=Pfor
-----END PGP SIGNATURE-----