I was joking, I meant that the operator provides an API for attackers, so they can accomplish their goal of taking the customer offline, without having to spoof or flood or whatever else. Automatically installing ACLs in response to observed flows accomplishes almost the same thing. As a concrete example, say a customer is running a game server that utilizes UDP port 12345. An attacker sends a large flow to customer:12345 and your switches and routers all start filtering anything with destination customer:12345, for say 2 hours. Then the attacker can just repeat in 2 hours and send only a few seconds worth of flooding each time. On Feb 4, 2014, at 6:52 PM, William Herrin <bill@herrin.us> wrote:
On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
Why not just provide a public API that lets users specify which of your customers they want to null route?
They're spoofed packets. There's no way for anyone outside your AS to know which of your customers the packets came from. It's not particularly easy to trace inside your AS either.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004