Vadim, Vadim Antonov wrote:
Just a thought - strict RPF at all ingress points, in combination with Fair Queueing keyed on something like 24 high-order bits of source IP address in transit routers would render any high-rate flooding attack pretty much harmless.
If you are talking FQ, as the source addresses are usually forged and thus random, don't you want to key on the *destination* address? Or are you only aiming at reflected attacks? Fair Queuing is useful in this manner not only on interconnect with other providers (transit / peering / customers so multihomed to be difficult to RPF) but also perhaps on interfaces connected to customers. Not all attacks are forged source. Attacks with true source addresses from comprimized servers would be mitigated by the fair queuing you describe on the router interface. One minor problem here is that Fair Queuing (as I understand it) only drops packets if the egress interface to which it is applied gets full. So *my* applying fair queuing to all interfaces at an exchange point doesn't help me if X's MAE-East router is squirting and extra 50Mb/s of traffic at me, enough to fill my port, but not X's - this is true also evn if *everyone* at the IXP applies FQ. So alternative is CEF/CAR like behaviour which would limit (not queue) traffic to any particular IP address within one given rate-limit matching clause to a specific rate. It's dead easy to make exceptions to this for specific IPs. I'm sure getting people to deploy this universally will be just as easy as persuading them to deploy ingress filtering universally and turning off directed broadcast universally (cough cough). -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)