On Dec 19, 2013 4:25 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
On Dec 19, 2013, at 6:12 AM, cb.list6 <cb.list6@gmail.com> wrote:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP.
QoS is a very poor mechanism for remediating DDoS attacks. It ensures
that programmatically-generated attack traffic will 'squeeze out' legitimate traffic.
I agree. But ... i am pretty sure i am going to do it. Trade offs.
During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen, whatever).
Have you checked to see whether you and/or your customers have open DNS recursors, misconfigured CPE devices, etc. which can be used as reflectors/amplifiers on your respective networks?
Have you implemented NetFlow and S/RTBH? Considered building a mitigation center?
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
Do you work with your peers/upstreams/downstreams to mitigate DDoS attacks when they ingress your network?
Not answering any of that. But thanks for asking.
There are lots of things one can do to increase one's ability to detect, classify, traceback, and mitigate DDoS attacks, yet which aren't CAPEX-intensive.
I think ipv4 udp is just going to become operationally deprecated. Too much pollution. It is really an epic amount of trash / value ratio in ipv4 udp. I recommend folks enable their auth dns servers for ipv6 ... and dont run open resolvers CB
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton