On Wed, Oct 8, 2014 at 9:59 AM, John Kristoff <j...@cymru.com> wrote: > If you think this is a terrible idea and want to express all that is > wrong with it, tell me that too, I can take it.
Hi John, It's a good idea, I think, but it has a problem: it's an escalation in an arms race that doesn't end well for the blue team. If we ever get good at keeping traffic to a single IP far enough away to not cripple us, the attacker need only spray the /24. Or spray our entire address space, easily identifiable from our BGP announcement. All this effort on our end and it took the attacker 15 minutes to modify his code. Two general types of DDOS traffic: botnets and forged source addresses. For the botnets, lots of real machines, each with a legitimate source IP address, we need to get to a router interface as close to each source address as we can get. Then temporarily shut down traffic from that source address crossing that link until the data flow suggests the problem traffic has ceased. Even if we have to pay the ISP who owns that link to do it for us. Quickly find it with automation. Quickly authenticate the attack flow. Quickly pay for remediation. For the address forgers, we need some kind of public detection system where ISPs who care provide the trace tools that let us figure out where the rogue attacking our network is _actually_ coming from. After which we can pay the ISP to interdict any traffic destined for anywhere in our network which enters from that link. Quickly with automation We can't win the arms race based on the destination; we'll only win it if we find a way to zero in on and interdict the source. Regards, Bill Herrin P.S. Also worth noting that paying a DDOS mitigation service can already accomplish the best-case result from something like UTRS. The mitigator announces the affected /24, sinks the attacked IP address and tunnels the rest of the packets back to us. Expensive but easy peasy. -- William Herrin ................ her...@dirtside.com b...@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> May I solve your unusual networking challenges?
