[nsp-sec] CUTRS: Community Unwanted Traffic Removal Service

[Rabbi Rob Thomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, team.

> What if the DDoS is big enough that even your transit providers can't
> handle it?  Not an unheard of situation with the popular
> reflection+amplification attacks.  You ask Cymru to ask "everyone" to
> null route the target, thus stopping the traffic much closer to the
> sources.

Exactly right, thank you, Jon!

>> We would probably prefix filter this to a specific small number (50 100?)
> 
> My assumption would be this is intended to be used only for attack
> mitigation.  How many active large scale reflection+amplification DDoS's
> are generally going on at one time these days?

Agreed, it would be a small number.  The geek in me hesitates to set a
hard limit, but the liberal arts major in me says "oh sure, 100 is way
more than we envision."  :)

> Another question, I need answered is, do you have to participate in the
> RTBH part (accepting null routes from the CURTS servers) to be allowed
> to have Cymru advertise your IPs?  i.e. do you have to participate in
> the mitigation to be eligible to have CURTS mitigate an attack against
> your network?  This is a tool I'd like to have "just in case" we need
> it, but I don't know if I'll be able to sell "some 3rd party gets to
> decide what we null route".  OTOH, if there isn't enough participation
> in that part of it, then the service is pointless.

Your last point is the most important:  If there isn't significant
community adoption, this won't work.  It has to scale to scale.  :)

Folks, this isn't for the purpose of blocking the routine.  That's why
we make available the DDoS-RS and the text file version of that.

The purpose of the CUTRS is for those massive DDoS attacks (100Gbps+
today) that impact you, your customers, and perhaps others around you
such as those at the same exchange(s).  This is for those moments when
your own expertise at mitigation, and infrastructure for mitigation, is
simply overwhelmed by a surfeit of traffic or packets.  It's a community
response, automated through BGP.

Would I expect folks to blindly accept what we publish?  No, but we
won't be the publishers.  We're simply the messengers.

The system is setup such that we inject nothing.  Only the providers
will be able to inject their own prefixes.  Think of your own RTBH
services as an example.  Our role will be to verify that Don can
announce things from AS209 and within IP space x.x.x.x, y.y.y.y, etc.
We will have filters in place to ensure only approved space and ASNs
participate and are propagated, not unlike what many of us do today on
our peering sessions.

Long winded answer, sorry, Jon.  No, you don't have to accept to
announce, or announce to accept.  How you use the service is up to you.

What I think the community does need is something superior to the ad-hoc
approach of calls and email and messaging to mitigate massive attacks.
If we can squelch massive attacks quickly, then the bad guys have lost
the ability to cause widespread damage in this manner (e.g. NTP amp, DNS
amp, et al.).  It's no panacea, but I do think it helps.

That said, we're wide open to all ideas!

Thoughts?

Thank you!
Rob.
- --
Rabbi Rob Thomas
Team Cymru                                https://www.team-cymru.org/
"Of all tyrannies, a tyranny sincerely exercised for the good of its
 victims may be the most oppressive." - C.S. Lewis

-----BEGIN PGP SIGNATURE-----

iQCVAwUBU3tekFkX3QAo5sgJAQKYaQQAiZLEunHhCs1vtg05JrqaINtTQrav8VYN
ArgWNDnOGgAbIf+OCWJAVPspuEbBfG3xhssYe32YME1/9+DqfO9MkOvms3DSIOkH
l+P4VrqalHwSjmGMZmGySrV43YJS9k6VD1jASEj6CFOkPwS8EjDRQR2iFR2kpqGn
VOy9zQ8w3P4=
=eOHh
-----END PGP SIGNATURE-----