[nsp-sec] DDoS Chicken and Egg Problem

Barry Greene (bgreene) bgreene at cisco.com
Wed Mar 26 17:29:10 EDT 2008 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco sets BGP traffic at Prec 6. At least we did. I think Juniper did
the same.  

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Johnson, Ron
> Sent: Wednesday, March 26, 2008 1:49 PM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] DDoS Chicken and Egg Problem
> 
> ----------- nsp-security Confidential --------
> 
>  
> It is a shame that there is no mechanism that I am aware of 
> to easily flag BGP traffic with an IP priority bit on direct peers. 
> The provider could then setup a QOS queuing policy to always 
> forward priority traffic first. 
> 
> It would be nice if Cisco/Juniper had a command like:
> 
> Router bgp 19029
> Bgp priority-bit dscp EF
> !
> 
> There may be a way to set QOS bits on the BGP traffic as it 
> passes through the interface between your AS and upstream 
> provider. The easiest I can imagine is to ensure your BGP 
> session is not via a direct interface to interface 
> connection, but configured eBGP-multihop and passes through a 
> router in the middle that could be matching and flagging BGP 
> traffic, so the routers with the direct connections would QOS 
> enforce based upon these flags.
> 
> This would allow BGP traffic flagged with EF to process 
> through the queue first, and avoid BGP session drop due to 
> keepalive failures.
> 
> 
> Ron Johnson
> New Edge Networks
> 
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> David Freedman
> Sent: Wednesday, March 26, 2008 12:42 PM
> To: Jason Gardiner; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] DDoS Chicken and Egg Problem
> 
> ----------- nsp-security Confidential --------
> 
> I see only three options really:
> 
> 1. Getting assured delivery of BGP packets during congestion 
> (no shaping for BGP) 2. Seperate out-of-band connection for 
> BGP blackhole (get them to run you a FastE connection for BGP 
> only) 3. Get another provider
> 
> 
> 
> ------------------------------------------------
> David Freedman
> Group Network Engineering
> Claranet Limited
> http://www.clara.net
> 
> 
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net on behalf of Jason Gardiner
> Sent: Wed 3/26/2008 19:40
> To: Nsp-Security
> Subject: [nsp-sec] DDoS Chicken and Egg Problem
>  
> ----------- nsp-security Confidential --------
> 
> Hey,
> 
> So we have some GigE feeds with an InterNAP that are rate limited.  A 
> while back, we had a DoS attack that filled the pipe.  
> Unfortunately the
> 
> provider is doing simple rate limiting, so BGP was caught up in the 
> policing and the sessions dropped.
> 
> We are running remote triggered blackhole with the provider, but the 
> whole exercise raised a very interesting question.  How does one send 
> the BGP community trigger to the provider if the provider isn't doing 
> anything to assure that the BGP session remains stable during an 
> attack?  I suggested exempting BGP from policing to avoid the 
> catch-22, 
> but they didn't see value in doing so.
> 
> Any thoughts or recommendations would be appreciated.
> 
> -- 
> Thanks,
> 
> Jason Gardiner
> $company_name Engineering
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security
> counter-measures.
> _______________________________________________
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security
> counter-measures.
> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR+q6vb/UEA/xivvmEQLHtQCg47qKca6eCs5JRI45OR/vNwUd0eYAn1qQ
XlVPI0kH6gL5eAtlObp1Oigz
=06GN
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list