On Thu, Aug 16, 2007 at 04:00:36PM +0100, michael.dillon@bt.com wrote:
Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
Remote triggered BGP blackhole filtering comes to mind ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi ltering-02.pdf
And if the bots are directly connected or concentrated in one point of the network, it seems to me that simple ACLs can mitigate the attack.
I agree that DDoS is not likely to take down a network big enough to be called a backbone unless there is some kind of unforeseen side effects to the DDoS.
unless they are not 'in' the network and hence cant be stopped internally and have the potential to overwhelm any external interface.. these cannot be mitigated without cooperation from other networks Steve