2012/2/5 Steve Bertrand <steve.bertr...@gmail.com> > On 2012.02.05 20:37, Keegan Holley wrote: > >> 2012/2/5 Dobbins, Roland<rdobb...@arbor.net> >> > > S/RTBH - as opposed to D/RTBH - doesn't kill the patient. Again, suggest >>> you read the preso. >>> >>> >> Source RTBH often falls victim to rapidly changing or spoofed source IP"s. >> It also isn't as widely supported as it should be. I never said DDOS was >> hopeless, there just aren't a wealth of defenses against it. >> > > This is so very easily automated. Even if you don't actually want to > trigger the routes automatically, finding the sources you want to blackhole > is as simple as a monitor port, tcpdump and some basic Perl. >
This is still vulnerable to spoofing which could cause you to filter legitimate traffic and make the problem worse. Not saying that S/RTBH is a bad idea. RTBH is effective and a great idea just not very elegant. > > ...and as far as this not having been deployed in many ISPs (per your next > message)... their mitigation strategies should be asked up front, and if > they don't have any (or don't know what you speak of), find a new ISP. > You sometimes have to weigh the pro's and cons. You can't always pick the guys with the coolest knobs.
