[nsp-sec] DDoS Chicken and Egg Problem
Chris Morrow
morrowc at ops-netman.net
Thu Mar 27 10:10:09 EDT 2008
On Wed, 26 Mar 2008, Sean Donelan wrote:
> ----------- nsp-security Confidential --------
>
>> To continue the other part of the thread, it would be a joy to see some
>> kind of standard on how to manage control plane traffic. I've seen some
>> really good/clever ideas, but nothing that really seems to be the de
>> facto method.
>
> Fred Baker has been pushing this rock up hill in the IETF for several
> years. There are several drafts, and maybe even an RFC or two now.
so.. I think that the actual problem is mostly solved, until you do
something wierd like drop an interface rate-limit on the interface. I
suspect that if your rate-limit were to be removed and you slammed 2G down
the 1G link bgp would stay up just fine... regardless of C/J platform
(cause both manage to stick bgp down even a highly utilized interface),
provided of course the boxes at each end of the link can actually sustain
the packet rates of the attack :)
So... I think Jason, you got stuck on a bad config :( or a config with
un-intended consequences. There are atleast 2 InterNap folks on-list
perhaps they can help directly?
More information about the nsp-security
mailing list