[nsp-sec] CUTRS: Community Unwanted Traffic Removal Service

Hank Nussbacher hank at efes.iucc.ac.il
Tue May 20 10:47:50 EDT 2014 

At 09:54 20/05/2014 -0400, Rabbi Rob Thomas wrote:

- Will Team Cymru publish a list of those ASNs that are participating 
(closed to the general public)?
- How secret is this?  How can we implement it with our NOC without letting 
them in on the details?

Thanks,
Hank



>----------- nsp-security Confidential --------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi, team.
>
> > What if the DDoS is big enough that even your transit providers can't
> > handle it?  Not an unheard of situation with the popular
> > reflection+amplification attacks.  You ask Cymru to ask "everyone" to
> > null route the target, thus stopping the traffic much closer to the
> > sources.
>
>Exactly right, thank you, Jon!
>
> >> We would probably prefix filter this to a specific small number (50 100?)
> >
> > My assumption would be this is intended to be used only for attack
> > mitigation.  How many active large scale reflection+amplification DDoS's
> > are generally going on at one time these days?
>
>Agreed, it would be a small number.  The geek in me hesitates to set a
>hard limit, but the liberal arts major in me says "oh sure, 100 is way
>more than we envision."  :)
>
> > Another question, I need answered is, do you have to participate in the
> > RTBH part (accepting null routes from the CURTS servers) to be allowed
> > to have Cymru advertise your IPs?  i.e. do you have to participate in
> > the mitigation to be eligible to have CURTS mitigate an attack against
> > your network?  This is a tool I'd like to have "just in case" we need
> > it, but I don't know if I'll be able to sell "some 3rd party gets to
> > decide what we null route".  OTOH, if there isn't enough participation
> > in that part of it, then the service is pointless.
>
>Your last point is the most important:  If there isn't significant
>community adoption, this won't work.  It has to scale to scale.  :)
>
>Folks, this isn't for the purpose of blocking the routine.  That's why
>we make available the DDoS-RS and the text file version of that.
>
>The purpose of the CUTRS is for those massive DDoS attacks (100Gbps+
>today) that impact you, your customers, and perhaps others around you
>such as those at the same exchange(s).  This is for those moments when
>your own expertise at mitigation, and infrastructure for mitigation, is
>simply overwhelmed by a surfeit of traffic or packets.  It's a community
>response, automated through BGP.
>
>Would I expect folks to blindly accept what we publish?  No, but we
>won't be the publishers.  We're simply the messengers.
>
>The system is setup such that we inject nothing.  Only the providers
>will be able to inject their own prefixes.  Think of your own RTBH
>services as an example.  Our role will be to verify that Don can
>announce things from AS209 and within IP space x.x.x.x, y.y.y.y, etc.
>We will have filters in place to ensure only approved space and ASNs
>participate and are propagated, not unlike what many of us do today on
>our peering sessions.
>
>Long winded answer, sorry, Jon.  No, you don't have to accept to
>announce, or announce to accept.  How you use the service is up to you.
>
>What I think the community does need is something superior to the ad-hoc
>approach of calls and email and messaging to mitigate massive attacks.
>If we can squelch massive attacks quickly, then the bad guys have lost
>the ability to cause widespread damage in this manner (e.g. NTP amp, DNS
>amp, et al.).  It's no panacea, but I do think it helps.
>
>That said, we're wide open to all ideas!
>
>Thoughts?
>
>Thank you!
>Rob.
>- --
>Rabbi Rob Thomas
>Team Cymru                                https://www.team-cymru.org/
>"Of all tyrannies, a tyranny sincerely exercised for the good of its
>  victims may be the most oppressive." - C.S. Lewis
>
>-----BEGIN PGP SIGNATURE-----
>
>iQCVAwUBU3tekFkX3QAo5sgJAQKYaQQAiZLEunHhCs1vtg05JrqaINtTQrav8VYN
>ArgWNDnOGgAbIf+OCWJAVPspuEbBfG3xhssYe32YME1/9+DqfO9MkOvms3DSIOkH
>l+P4VrqalHwSjmGMZmGySrV43YJS9k6VD1jASEj6CFOkPwS8EjDRQR2iFR2kpqGn
>VOy9zQ8w3P4=
>=eOHh
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security 
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list