[nsp-sec] DDoS Chicken and Egg Problem

[Smith, Donald]

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Morrow
> Sent: Thursday, March 27, 2008 8:10 AM
> To: Sean Donelan
> Cc: nsp-security at puck.nether.net; Johnson, Ron
> Subject: Re: [nsp-sec] DDoS Chicken and Egg Problem
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> On Wed, 26 Mar 2008, Sean Donelan wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> >> To continue the other part of the thread, it would be a 
> joy to see some
> >> kind of standard on how to manage control plane traffic.  
> I've seen some
> >> really good/clever ideas, but nothing that really seems to 
> be the de
> >> facto method.
> >
> > Fred Baker has been pushing this rock up hill in the IETF 
> for several
> > years.  There are several drafts, and maybe even an RFC or two now.
> 
> so.. I think that the actual problem is mostly solved, until you do 
> something weird like drop an interface rate-limit on the interface. I 
> suspect that if your rate-limit were to be removed and you 
> slammed 2G down 
> the 1G link bgp would stay up just fine... regardless of C/J platform 

With the right types of packets you can get either c|j to drop bgp
connections at rates much slower then 1G line speed.
We have done that numerous times on both platforms. 
RACLs, CPP or RE rate limits can and should be used to mitigate these
types of attacks.
We have these mitigations deployed and I recommend everyone else do the
same.
We are still developing our cpp testing tools and methods so I won't
claim expertise just experience.


> (cause both manage to stick bgp down even a highly utilized 
> interface), 
> provided of course the boxes at each end of the link can 
> actually sustain 
> the packet rates of the attack :)
> 
> So... I think Jason, you got stuck on a bad config :( or a 
> config with 
> un-intended consequences. There are atleast 2 InterNap folks on-list 
> perhaps they can help directly?
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.