[nsp-sec] Recent 20 Gbps microburst DoS attack
J. Chambers
jchambers at ucla.edu
Fri Dec 22 11:51:32 EST 2017
On 12/22/17 06:04, Roland Dobbins wrote:
> ----------- nsp-security Confidential --------
>
> Both you and your upstream transit providers should have iACLs deployed,
> which pretty much obviates the need for CoPP, and is much simpler to
> maintain. iBGP session from internal core-type router to transit edge
> router, or . . . ?
>
We use iACLs but I don't see how that would have helped here. Maybe I'm
misunderstanding CoPP but I thought control plane policing prioritized
routing traffic and SSH/Telnet under stress conditions, similar in some
degree to QoS.
The peering was between core-distribution routers. I think what
happened is the DoS consumed a link and caused a BGP timeout due to
dropped hello packets.
> Since you're an endpoint network, there may well be tACLs you can deploy
> which would help, as well (the standard university nonsense about not
> being able to filter traffic because of 'academic freedom' is, of
> course, nonsense; hopefully, you aren't subject to such pressures from
> the uninformed, heh).
>
> What were the targets of the attack? Network infrastructure devices, or
> . . . ?
>
heh, nah we're not really affected by that too much and can use RTBH if
needed. The entire attack was over and done with before we detected it.
The DoS was UDP Port 80 and targeted our main website www.ucla.edu
(164.67.228.152), technically it hit the load-balancer VM in front of
the site and crashed that.
--Jason
More information about the nsp-security
mailing list