anycast and ddos

Fergie · May 6, 2005, 5:03pm

As one of the co-authors of RFC-2827, I'm assuming you
meant me -- if so, no apology needed.

I'm just sorry to have to see a "weakness" exploited which
could easily be "fixed"....

- ferg

ps. This also seems like a good time to mention (again)
"The Spoofer Project" at MIT:

http://momo.lcs.mit.edu/spoofer/

[and]

http://momo.lcs.mit.edu/spoofer/summary.php

Kasper_Adel · May 7, 2005, 12:48am

I've looked around most DDoS prevention methods outhere, i can safely
say that alot of them usually just repeat each other, for me it all
boils down to

1) CoPP and aggresive SPD to protect the routing/management when
infrastructure is attacked.

2) Getting Riverhead, which is a shame if they had it and it didnt save the day.

3) Netflow to detect the attacking sources/dst and using Filtering and
blackholing methods. (Arbor, open-source tools...)

So, if they had all that in place and still they were brought down,
then i would seriously like to look for new/different solutions
applied or perhaps someone on the list could give us his experience in
a case of a heavy ddos where it was easily mitigated with the above.

Regards

Christopher_L_Morro1 · May 7, 2005, 1:43am

riverhead has its warts, one of the larger ones is in some assumptions
made about DNS client behaviour from first-hand experience you have to
be very cautious when sticking one in front of a dns server(s), I imagine
the mix gets really fun when that server(s) are really boxes with
massively large lists of auth domains...

Either way, without first-hand info from the attackee it's going to be
tough to sort out what was and wasn't the problem... I do think that
someone is going to chat about tcp/53 filtering and possibly other things
DNS and ATTACK at the NSP-SEC BoF at nanog 34.

-Chris

Sean_Donelan · May 7, 2005, 1:53am

And Number 4

4) Ask for help.

If netsol didn't ask for help, is it a surprise they received limited
amount of help?

Christopher_L_Morro1 · May 7, 2005, 2:04am

> I've looked around most DDoS prevention methods outhere, i can safely
> say that alot of them usually just repeat each other, for me it all
> boils down to

And Number 4

4) Ask for help.

there are people out on the internet that want to help?

If netsol didn't ask for help, is it a surprise they received limited
amount of help?

Despite the cynicism, from me not sean, it really would be 'ok' for people
to ask for help from their providers when 'bad things' happen.