On Thu, Dec 19, 2013 at 8:18 AM, Edward Lewis <ed.lewis@neustar.biz> wrote:
On Dec 18, 2013, at 18:12, cb.list6 wrote:
I am strongly considering having my upstreams to simply rate limit ipv4 UDP. It is the simplest solution that is proactive.
Recently it's been said that when a protocol is "query/response" (like DNS), willingly suppressing responses might be as harmful as passing all the traffic.
This comes from a presentation at October's DNS-OARC workshop:
https://indico.dns-oarc.net//getFile.py/access?contribId=4&resId=0&materialId=slides&confId=1
This is a "what is possible in theory" presentation, said to help you set your expectation whether this is a true threat or not.
The underlying message is that while a querier is waiting for a response, there is a window of vulnerability in which a forged response might be accepted. If the responder elects not to respond, they increase the (time) duration of that window.
While "smart" rate limiting exhibits benefits I suspect "simple" rate limiting might have some undesirable consequences.
I completely agree. This why i have not yet implemented IPv4 UDP rate-limiting yet, but it seems inevitable for 2014 if these attacks go on. The profile i have in mind is when UDP exceeds 5x the baseline, then tail-drop. Keep in mind, when UDP exceeds 5x the baseline, the chances are are 99% that the UDP is consuming the entire ISP pipe and everything is rate-limited due to the pipe being saturated. So, this is not a simple either / or. This is degrade UDP proactively or suffer all traffic degrading because there is a huge DDoS coming in (which is the current situation).
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468
Why is it that people who fear government monitoring of social media are surprised to learn that I avoid contributing to social media?