On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
Besides having *alot* of bandwidth theres not really much you can do to mitigate. Once you have the bandwidth you can filter (w/good hardware). Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong.
Spoofed attacks have reduced significally probably because the use of RPF. However we still see these from time to time.
I disagree. Spoofed attacks have reduced because the botnets do not need to spoof to succeed in some attacks. RPF is woefully inadequately applied. For attacks which require spoofing, it is still trivial to generate 10s of Gbps of spoofed packets.
I do not see a real solution to this problem right now...theres not much you can do about the unwilligness of users to keep their software/OS up2date and deploy anti-virus/anti-malware software (and keep it up2date). Some approaches have been made like cutting of internet access for users which have been identified by ISPs for beeing member of some botnet/beeing infected. This might be the only long-term solution to this probably. There is just no patch for human stupidity.
Quarantining end users sounds like a good idea to me. But I Am Not An ISP. :) The idea of auto-updates at the OS level like in iOS (as opposed to big-I "IOS") may be a solution for many people. Supposedly OSX is going that route. But there will be those who do not want to get their software -only- through a walled garden like iTunes. Fortunately, the motivations do have some alignment. The users who do not need full access to their machines are the ones who are more likely to get confused & infected, and the ones who want someone to "protect" them more, which makes OS-level auto-update more appealing. So that may help, even if it is not a panacea. Wish us luck! -- TTFN, patrick