[nsp-sec] CUTRS: Community Unwanted Traffic Removal Service

Jon Lewis jlewis at lewis.org
Mon May 19 20:17:53 EDT 2014 

On Mon, 19 May 2014, Smith, Donald wrote:

> ----------- nsp-security Confidential --------
>
> I hope you mean DBRBHF (Destination Based Remote Black Hole Filtering).
>
> "It is assumed that all peers will drop any traffic to the advertised 
> prefix by configuring the next-hop address to point to a black hole 
> (.e.g. null0 interface). Except for extenuating circumstances, all IPv4 
> prefix announcements will be no less specific than a /32. "
>
> That says drop traffic TO the advertised prefix. Thus completing the 
> DDOS on that /32.

As I understand it, this is just a distributed RTBH system with the 
central control managed by Cymru.

i.e. With traditional RTBH, to stop DDoS traffic from taking your whole 
network offline (saturating your transit(s)), you announce the target 
IP(s) to your providers with a community that tells them to null route. 
The target is knocked off the internet, but the rest of your network gets 
to stay in service.

What if the DDoS is big enough that even your transit providers can't 
handle it?  Not an unheard of situation with the popular 
reflection+amplification attacks.  You ask Cymru to ask "everyone" to null 
route the target, thus stopping the traffic much closer to the sources.

> Cymru one of the things I will be asked as I discuss this internally is "how many routes".
>
> We would probably prefix filter this to a specific small number (50 100?)

My assumption would be this is intended to be used only for attack 
mitigation.  How many active large scale reflection+amplification DDoS's 
are generally going on at one time these days?

Another question, I need answered is, do you have to participate in the 
RTBH part (accepting null routes from the CURTS servers) to be allowed to 
have Cymru advertise your IPs?  i.e. do you have to participate in the 
mitigation to be eligible to have CURTS mitigate an attack against your 
network?  This is a tool I'd like to have "just in case" we need it, but I 
don't know if I'll be able to sell "some 3rd party gets to decide what we 
null route".  OTOH, if there isn't enough participation in that part of 
it, then the service is pointless.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the nsp-security mailing list