[nsp-sec] Revisiting the DDOS Route Server project
John Fraizer
john at op-sec.us
Fri Aug 14 14:53:16 EDT 2009
I thought that RTBH NLRIs combined with uRPF was pretty common knowledge in
our particular community. I've been doing it since the knob became
available in IOS and at my current employer, I turned it up as one of my
first action items when I was hired. We've been allowing RTBH NLRIs from
BGP customers (for /32s that pass their individual prefix-list filters) ever
since I wrote our RFC1998 policy back in 2006, about 2 days after I started
here.
Back in the day when I was running my own network and didn't have the budget
for Danny's magic boxes, I spun up my own home-grown mitigation platform
using Peter Haag's NFSen to watch flows for things that were "Bad" and then
automagically send off an alert email to my NOC staff and also insert a RTBH
route into our blackhole route-server. I think it actually pre-dated the
automated mitigation using Guards or any of the Arbor stuff but, since I
couldn't afford to even ask how much those solutions cost at the time, let
alone purchase them, I didn't even know they existed until quite some time
after I had done the home-grown platform.
It's of course not as elegant as the commercially available solutions
because it's not truely real-time but, 5-min mitigation of a DDoS is better
than no mitigation at all. :)
Back on the subject of the DDoS-RS, if people aren't using it, they really
should be! I will tell you all that it has made a significant impact in the
number of attack incidents we have to deal with on our network. I profile
flows to/from the hosts/ports listed in DDoS-RS and generate a daily report
to our customer-facing folks based on the fact that Customer-X has attempted
flows to C&C-Y and that is an extremely strong indication of
infection/compromise. The utility of the DDoS-RS should not be
underestimated.
John
On Fri, Aug 14, 2009 at 6:08 PM, Smith, Donald <Donald.Smith at qwest.com>wrote:
> Gee that sounds familiar:)
>
>
> http://www.rfc-editor.org/internet-drafts/draft-ietf-opsec-blackhole-urpf-04.txt
>
> Danny was one of the co-authors, I got an acknowledgement and Barry got an
> Informative reference.
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
More information about the nsp-security
mailing list