On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher <dam...@google.com> wrote: > A factor of 2 is "rounding error" and we probably shouldn't > waste our time on it (eg, by designing solutions to reduce > amplification factors) when we could instead be targeting > the sources of spoofed traffic.
Ah, fine. Spoofing is obviously the root cause here. I was mostly addressing the statement that factors of 2 to 5 aren't "particularly interesting for attackers or defenders". In my experience they certainly are. > this particular "carpet-bombing" attack isn't likely to be > mitigated at the network layer anyway... the load is > distributed across thousands of machines which can > each trivially handle the state. Not in a typical DC/ISP environment! With the solution you propose, a perfect routing symmetry is a hard requirement, b/c you need to make sure a returning SYN/ACK hits the very same machine as the initial SYN. As long as you expect a DDoS to be handled somewhere close to the border of your network, this is hardly achievable for a network growing in size. -- Töma
