On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher <damian@google.com> wrote:
A factor of 2 is "rounding error" and we probably shouldn't waste our time on it (eg, by designing solutions to reduce amplification factors) when we could instead be targeting the sources of spoofed traffic.
Ah, fine. Spoofing is obviously the root cause here. I was mostly addressing the statement that factors of 2 to 5 aren't "particularly interesting for attackers or defenders". In my experience they certainly are.
this particular "carpet-bombing" attack isn't likely to be mitigated at the network layer anyway... the load is distributed across thousands of machines which can each trivially handle the state.
Not in a typical DC/ISP environment! With the solution you propose, a perfect routing symmetry is a hard requirement, b/c you need to make sure a returning SYN/ACK hits the very same machine as the initial SYN. As long as you expect a DDoS to be handled somewhere close to the border of your network, this is hardly achievable for a network growing in size. -- Töma