ONS - slightly OT offlist if you care to comment.
My opinion: A tier 1 provider does not care what traffic it carries. That is all a function of the application not the network. A tier 2 provider may do traffic shaping, etc. A tier 3 provider may decide to block traffic paterns. ------------------------------ More or less... The network was intended to move data from one machine to another... The less manipulation in the middle the better... No manipulation of the payload is the name of the game. That being said. It's entirely a function of the application to timeout and drop out of order packets, etc. ONS is designed around this principle. In streaming data... often it is better to get bad or missing data than to try and put out of order or bad data in the buffer... A good example is digital over-the-air tv... If you didn't build in enough error correction... then you'll have digital breakup, etc. It is impossible to recover any of that data. If reliable transport of data is required... That is a function of the application. ------------------------------ a tier 1 can never not have enough capacity.. always N+1.... 99.999% a tier 2 can afford 95.0% a tier 3 75% or better is a good target. wireless i call tier 4 - 50% is a good target... there are too many variables for ANY type of SOA. Just because you got the data... doesn't mean it wasn't re-requested 20 times. 256^6 AS : Network : Subnet : Machines We will never run out of IP space... IPv6 is too dificult to understand... ONS is a direct replacement for the ENTIRE network architecture. Sonet, etc... It's all replaced. So you all get it from an address AS : NETWORK : SUB-NET : MACHINE [MAC] 04.43.AA.AA.00.01 : 00.00.32.AA.00.F2 : 54.23.AA.43.AA.00 : 90.FA.A0.A9.F3.C2 The address includes everything about your network address... AS to MAC address... That is networking made simple... And the routing and AS to AS mechanism is that much simpler.... MPLS switching is a good way to think of it. I provide a path to your AS... at entry you provide a path to it's destination. Or onward to the next connected AS. SO something similiar to BGP is your inter-AS protocol for establishing what is where... It's entirely interface driven... I just provide the next interface... Each routing- switch is a node... So the list just tells it the node numbers to traverse... calculated at entry to your AS.... node : interface : subinterface . sub [AS] : 08fa.003a : 0002 : 0000.00 Of course a DNS naming convention is implementable... Who wants to think of every single device as a number w/o a name.... Node / interface address... You could prepend the AS at the begining.. but I would strip it from what people see ... Of course you could to MPLS type as to as routing... but that table could become huge.. and it's typically best for each provider to decide what to do with the traffic at entry to it's network... perhaps only for your own customers would you do MPLS / MPLS type peering. ------------------------------ It's like I'd peer a maximum of 4 x OC192 to another tier-1 and everything else for their network either gets dropped or they pay for additional bandwidth... I peer ONLY with tier-1 providers... a maximum of p GB/s... Everything else is paid traffic. I have confidence that my network is directly connected to 85% of the world... And that my datacenters and distribution network cary 85% of the traffic neccesary. ------------------------------ Every customer looks like a subnet... They can attach a virtually unlimited number of devices to their subnet... ------------------------------ That is to say that a sonet ring is made up of a series of devices... The entire network is ONS... Every single device on it. Hybrid-switching... It's still early in the design stages... Designed but not implemented. ------------------------------ Now which university wants to give me my degree??? How about that CCDP??? ------------------------------ What a packet / frame / whatever looks like: [AS Path] : [QOS identifier] : [Switching path] : [destination address] : [control bits (stack)] : [origin address] :[payload] : [padding] [AS]: prepended at network entry... validating this belongs on my network. important if your a transit point between two AS's. and your network doesn't appear in the origin or destination... could even contain the AS and other information about how it got there... netflow stuff... could just be an AS path... but it's best to let the next network decide what to do with it... It's just good to know this belongs on this network and this is why it's here... a. it originated here b. i accepted it from AS x as customer c. i accepted it from ASx a peer d. gateway of last resort e. other If it shows up on another AS... it will know that the data requires validation / handling ... so when i give it to AS p on interface g that machine will have to validate it belongs there and change the AS to indicate it belongs and calculate a path. Deffinetly an AS path to ensure that I don't just give it right back to the origin AS or anywhere else that has already had it because I think you have a better path to it. So it MUST retain the AS's that it has traveresed. Prevent routing loops. If I receive something from an AS that I'm not supposed to receive from... Either accept it due to policy override. Or drop it and create an alarm. Either way create an event. QOS: first .. drop it unless i have to have it in congestion. queue everything else.... typical QOS stuff. I don't even want to process it if I'm congested or overloaded unless it is X priority. switching path: node:int:sub//node:int:sub//node:int:sub//node:int:sub....[padding] .... end of path. each node strips it's address and moves it to the next interface. [QOS identifier] - 00.00 default. no priority. so a QOS enabled network would be able to buffer data and manipulate it... a tier 1 should have enough capacity to never need this. especially at 100+ gb/s ... a tier 3 or tier 4 network... this could be useful... at congestion... just drop the data unless it is FF.xx could be used like FECN / BECN... I'm congested at the end... quench everything that isn't important. store it if it's EE drop anything less... FF must reach it's destination. if something bad happens it looks up the origin address and returns some sort of message indicating it's node address ... [control bits] undefined... containing an application identifier, sequence number, data type, crc, crc version, etc. what we once called a socket number.... packet , etc... ff.00 even the application could be switched to a particular computing node... / interface special address... saying that a cluster is a subnet and some control device decides where what goes... A RFC would be neccesary for the worlds input in assuring a versitile protocol that will not ever need to be updated... Devices on the network would obviously all require address... AS : FF.FF.FF.FF.FF.FF this network only... and some sort of addressing... too be determined. You'd also want some sort of encryption alogrythm on control data to ensure no one has slipped you a roofy. I suppose just utilizing the switching path to get it where it needs to go... special addresses, etc... anything bound for all FF's has to be for me... better authenticate it. the application sees the control bits, origin, payload] anycasting still works... one network number is a special number... always anycast... you can have as many subnets under that as you like... so at entry the path to the closest / best node is chosen... if those nodes are doing anything that requires always getting the same node ... then they had better have some application level magic happening... static interface scratch files.... something like that.. 1kb of data FF.FFalways going to the control node... keeping track of what is where. so you received a request that you don't know what to do with.. better consult the control node. (c) 2007; Patent Pending Chile and other territories. I intend to license it like the drug companies... ------------------------------ Finished! Enough to get started with an implementation. A few important things... Max AS path... after x it's automatically dropped. Max Switching path... I only reserved so many bytes... Target size 32768 bytes with 16384 bytes data. fully adjustable based on experimentation. So this is saying that for whatever reason I have decided this must go to AS x... Now you decide what to do with. But don't EVER give it back to me.
Chiloé Temuco wrote:
My opinion:
A tier 1 provider does not care what traffic it carries. That is all a function of the application not the network.
Providers should start caring about what they're carrying. Haven't seen one message yet about the hording of "Storm Bot" and what someone is doing to nip this at the bud. Who better than the big boys. After all what happens when someone launches this botnet at say Mae-East/West or some other backbone.
More or less... The network was intended to move data from one machine to another... The less manipulation in the middle the better... No manipulation of the payload is the name of the game.
Less manipulation = bad theory/design. Again using examples such as Nimda, Code Red, etc., why is it that engineers can sit around spend say - I don't know - an hour a day answering reDumbdant NANOG posts yet these same engineers can't spend 5 hours in one week looking at "up and coming" hurricanes on the horizon (Storm Bot anyone). Yet they can spend another 5 hours a week bitching and moaning about who was on first and how that bot get on second and it's all Michael Dillon's fault because it started someone on BT, and then Gadi Evron warned you last month but you bitched him out so you're now waiting on the gracious Mr. Bellovin to re-write an entire protocol or say "wow that's a good idea!"...
SO something similiar to BGP is your inter-AS protocol for establishing what is where...
I'm all for it. Let's get another working group to implement this right after IPv6 in the year 3000. As for the rest of the email... Sorry got too cumbersome. I was busy writing a response to the next NANOG thread. -- ==================================================== J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net
On Wed, Aug 15, 2007 at 03:02:07PM -0400, J. Oquendo wrote:
Chiloé Temuco wrote:
My opinion:
A tier 1 provider does not care what traffic it carries. That is all a function of the application not the network.
Providers should start caring about what they're carrying. Haven't seen one message yet about the hording of "Storm Bot" and what someone is doing to nip this at the bud. Who better than the big boys. After all what happens when someone launches this botnet at say Mae-East/West or some other backbone.
sniff... mae-east. fond memories... now if ANYONE could launch anything from mae-east these days, I'd be really impressed.
SO something similiar to BGP is your inter-AS protocol for establishing what is where...
I'm all for it. Let's get another working group to implement this right after IPv6 in the year 3000. As for the rest of the email... Sorry got too cumbersome. I was busy writing a response to the next NANOG thread.
does this mean we have to implement Terrells tribit encoding? --bill
-- ==================================================== J. Oquendo "Excusatio non petita, accusatio manifesta"
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net
On Wed, Aug 15, 2007 at 08:10:47PM +0000, bmanning@vacation.karoshi.com wrote:
sniff... mae-east. fond memories... now if ANYONE could launch anything from mae-east these days, I'd be really impressed.
We could go stand on the roof of either 8100 Boone or 1919 Gallows and throw something off (maybe an old 7507). Would that count? --Jeff
On Thu, Aug 16, 2007 at 10:02:02AM -0400, Jeff Aitken wrote:
On Wed, Aug 15, 2007 at 08:10:47PM +0000, bmanning@vacation.karoshi.com wrote:
sniff... mae-east. fond memories... now if ANYONE could launch anything from mae-east these days, I'd be really impressed.
We could go stand on the roof of either 8100 Boone or 1919 Gallows and throw something off (maybe an old 7507). Would that count?
nope... terminal velocity is not what we are after here... looking for more thrust :)
--Jeff
On Wed, 15 Aug 2007 15:02:07 EDT, "J. Oquendo" said:
Providers should start caring about what they're carrying. Haven't seen one message yet about the hording of "Storm Bot" and what someone is doing to nip this at the bud. Who better than the big boys. After all what happens when someone launches this botnet at say Mae-East/West or some other backbone.
I doubt if anybody would notice a DDoS attack against MAE-East. ;) And we're unlikely to see many major DDoS attacks against backbones, for a number of reasons: 1) You need a pretty big hose, or a *lot* of computers to do it. 2) The people with botnets tend to fall into 2 major groups: ankle-biters and pros. 2a) The ankle-biters don't hose down backbones because (1) they don't usually even know what a backbone is, and (2) they're usually too busy pointing their DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes, these guys have taken out a few mid-tiers, but it's accidental collateral damage, not the intended target. 2b) The pros don't hose down backbones, because if a backbone is down, they can't make money from their now-disconnected botnet. Yeah, a concerted effort probably *would* take out AS701 or similar. But we don't see it happen often, because the people who have the ability to do it also realize that while AS701 is out napping, their other business ventures are taking a hit from the lost connectivity...
Valdis.Kletnieks@vt.edu wrote:
I doubt if anybody would notice a DDoS attack against MAE-East. ;)
Who was it that doubted anyone would need more then 1024k of memory?
1) You need a pretty big hose, or a *lot* of computers to do it.
I would hope some have been reading news reports where its alleged this particular botnet is over 1.7 million machines deep.
2a) The ankle-biters don't hose down backbones because (1) they don't usually even know what a backbone is, and (2) they're usually too busy pointing their DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes, these guys have taken out a few mid-tiers, but it's accidental collateral damage, not the intended target.
Come on now surely you don't believe this to be the only cases where idiots us botnets. Have you not read the reports of morons hosing a network for randsom.
2b) The pros don't hose down backbones, because if a backbone is down, they can't make money from their now-disconnected botnet.
Re-read above statement
Yeah, a concerted effort probably *would* take out AS701 or similar. But we don't see it happen often, because the people who have the ability to do it also realize that while AS701 is out napping, their other business ventures are taking a hit from the lost connectivity...
For years now I contemplated how long would it be before someone created the ultimate botnet/backbone killer. I've always wondered "Hrmm... How would I COUNTER this if x happened." I've rambled on about it for I don't know 8 years now, starting with "Theories in DoS" before DDoS was really even pimped out by Dave Dittrich... People thought (probably still do think) I was (am) looney. My guess is, give or take a few years and you will get that one pissed off person to lay the smack down on peers worldwide. When this happens (hopefully it won't), I'll sit back and ramble on some more with "that's so yesterday... I predicted it a "real long time ago" (www.infiltrated.net/chappelle.mp3) then go back to rambling on as I always do. -- ==================================================== J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net
If anyone is running a large enough network that they can't mitigate this it would suprise me, and they would deserve to be taken out. Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable. It would be interesting to get into a really technical architectural discussion. I have my ideas as to how to manage it, I'm sure others do as well, and differently. And ASN701 as mentioned specifically has someone who was able to manage these things 5-6 years ago in Chris Morrow (assuming you're still there). He helped us quite a bit back in those days, and without all the toys that are out there today. J. Oquendo wrote:
Valdis.Kletnieks@vt.edu wrote:
I doubt if anybody would notice a DDoS attack against MAE-East. ;)
Who was it that doubted anyone would need more then 1024k of memory?
1) You need a pretty big hose, or a *lot* of computers to do it.
I would hope some have been reading news reports where its alleged this particular botnet is over 1.7 million machines deep.
2a) The ankle-biters don't hose down backbones because (1) they don't usually even know what a backbone is, and (2) they're usually too busy pointing their DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes, these guys have taken out a few mid-tiers, but it's accidental collateral damage, not the intended target.
Come on now surely you don't believe this to be the only cases where idiots us botnets. Have you not read the reports of morons hosing a network for randsom.
2b) The pros don't hose down backbones, because if a backbone is down, they can't make money from their now-disconnected botnet.
Re-read above statement
Yeah, a concerted effort probably *would* take out AS701 or similar. But we don't see it happen often, because the people who have the ability to do it also realize that while AS701 is out napping, their other business ventures are taking a hit from the lost connectivity...
For years now I contemplated how long would it be before someone created the ultimate botnet/backbone killer. I've always wondered "Hrmm... How would I COUNTER this if x happened." I've rambled on about it for I don't know 8 years now, starting with "Theories in DoS" before DDoS was really even pimped out by Dave Dittrich... People thought (probably still do think) I was (am) looney. My guess is, give or take a few years and you will get that one pissed off person to lay the smack down on peers worldwide.
When this happens (hopefully it won't), I'll sit back and ramble on some more with "that's so yesterday... I predicted it a "real long time ago" (www.infiltrated.net/chappelle.mp3) then go back to rambling on as I always do.
So if someone had a moderately large botnet (100k hosts) and these had an average broadband speed of say 2Mbps .. you are saying that 200Gb of traffic can be handled? Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity. Steve On Thu, Aug 16, 2007 at 09:58:11AM -0400, Jason LeBlanc wrote:
If anyone is running a large enough network that they can't mitigate this it would suprise me, and they would deserve to be taken out. Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
It would be interesting to get into a really technical architectural discussion. I have my ideas as to how to manage it, I'm sure others do as well, and differently. And ASN701 as mentioned specifically has someone who was able to manage these things 5-6 years ago in Chris Morrow (assuming you're still there). He helped us quite a bit back in those days, and without all the toys that are out there today.
J. Oquendo wrote:
Valdis.Kletnieks@vt.edu wrote:
I doubt if anybody would notice a DDoS attack against MAE-East. ;)
Who was it that doubted anyone would need more then 1024k of memory?
1) You need a pretty big hose, or a *lot* of computers to do it.
I would hope some have been reading news reports where its alleged this particular botnet is over 1.7 million machines deep.
2a) The ankle-biters don't hose down backbones because (1) they don't usually even know what a backbone is, and (2) they're usually too busy pointing their DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes, these guys have taken out a few mid-tiers, but it's accidental collateral damage, not the intended target.
Come on now surely you don't believe this to be the only cases where idiots us botnets. Have you not read the reports of morons hosing a network for randsom.
2b) The pros don't hose down backbones, because if a backbone is down, they can't make money from their now-disconnected botnet.
Re-read above statement
Yeah, a concerted effort probably *would* take out AS701 or similar. But we don't see it happen often, because the people who have the ability to do it also realize that while AS701 is out napping, their other business ventures are taking a hit from the lost connectivity...
For years now I contemplated how long would it be before someone created the ultimate botnet/backbone killer. I've always wondered "Hrmm... How would I COUNTER this if x happened." I've rambled on about it for I don't know 8 years now, starting with "Theories in DoS" before DDoS was really even pimped out by Dave Dittrich... People thought (probably still do think) I was (am) looney. My guess is, give or take a few years and you will get that one pissed off person to lay the smack down on peers worldwide.
When this happens (hopefully it won't), I'll sit back and ramble on some more with "that's so yesterday... I predicted it a "real long time ago" (www.infiltrated.net/chappelle.mp3) then go back to rambling on as I always do.
Stephen Wilcox wrote:
Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
(removed annoying cc's) Well I was actually hoping Mrs. Lothberg would be the next MAE-Scandanavia backbone provider. Do the math (anyone): // SNIP “The number of unique, infected hosts (bots), from which the attack is being launched by email, has also increased dramatically,” said Stewart. “They went from 2,815 in the beginning of 2007 through the end of May to a total of 1.7 million for the months of June and July.” http://www.darkreading.com/document.asp?doc_id=130745 // END SNIP Let's say its exaggerated and say this botnet is 1/4 of this size: 425,000 hosts waiting for a C&C dumbarse to launch a command. Something simple ping... 64bytes * 425,000 hosts = 25MB ... ping -s 128 or higher? A GET|HEAD|POST|etc would kill my server before the majority of traffic even eeked its way through. Bad scenario ... Cause a flap between two heavy peers (see Randy Bush's take on dampening/flapping). I could see this become a problem no matter what you think you can throw at it. Somewhere, someone down the line, will have something a bit misconfigured/*oops I forgot to place tcp intercept here*/etc and will cause some "could have been avoided if one woke up and smelled the coffee" scenario which will cause a major outage. Poop happens when you let it, why not open ones eyes now and be alert/aware of what's out there and make sure solutions are in place before its too late. Then again, I wonder what outside of massive filtering on fwsm's can one do in a situation like this. Its not like these are spoofed connections which something like tcp intercept would be able to mitigate against. RFC1918 filtering... Useless. Different story if there was filtering on provider side that says "Hey gee... This botnet that's 1.7 million strong is connecting on port xxxxx, let me take a pre-emptive strike and monitor this" http://atlas.arbor.net/ +207.0 % Slammer variant as of yesterday... School is what one two weeks away. Synonymous with all sorts of new improved crap... I can't for the life of me figure out why some of the best engineers in the world who are on this and other networking lists shrug these things off. Makes me wonder who profits via bandwidth sales from this. Someone obviously will irrespective of how rude, condescending it sounds. -- ==================================================== J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net
I can't for the life of me figure out why some of the best engineers in the world who are on this and other networking lists shrug these things off.
What evidence do you have that some of the best engineers in the world are on these lists? My impression is that there are a lot of good engineers on these lists with occasional flashes of excellence, but what they are best at is communicating. After all, mailing lists are primarily about communicating, not about engineering. The best engineers in the world are elsewhere, busy engineering. --Michael Dillon
Maybe I shouldn't have made a blanket statement considering the audience, my bad. My point was more that for most attacks not specifically directed at the network gear itself, meaning packets traversing the network, can potentially be managed. Shutting down an interface if you can find where it enters your network, and maybe if there is a pattern that can be matched on and null routing that traffic, etc. Short of terrorism (disruption without any purpose other than disruption itself) most bot nets were designed to accomplish something, usually that something isn't taking out the highway that earns them income. Maybe a target on the highway that causes them problems earning said income being knocked offline. Stephen Wilcox wrote:
So if someone had a moderately large botnet (100k hosts) and these had an average broadband speed of say 2Mbps .. you are saying that 200Gb of traffic can be handled?
Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
Steve
On Thu, Aug 16, 2007 at 09:58:11AM -0400, Jason LeBlanc wrote:
If anyone is running a large enough network that they can't mitigate this it would suprise me, and they would deserve to be taken out. Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
It would be interesting to get into a really technical architectural discussion. I have my ideas as to how to manage it, I'm sure others do as well, and differently. And ASN701 as mentioned specifically has someone who was able to manage these things 5-6 years ago in Chris Morrow (assuming you're still there). He helped us quite a bit back in those days, and without all the toys that are out there today.
J. Oquendo wrote:
Valdis.Kletnieks@vt.edu wrote:
I doubt if anybody would notice a DDoS attack against MAE-East. ;)
Who was it that doubted anyone would need more then 1024k of memory?
1) You need a pretty big hose, or a *lot* of computers to do it.
I would hope some have been reading news reports where its alleged this particular botnet is over 1.7 million machines deep.
2a) The ankle-biters don't hose down backbones because (1) they don't usually even know what a backbone is, and (2) they're usually too busy pointing their DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes, these guys have taken out a few mid-tiers, but it's accidental collateral damage, not the intended target.
Come on now surely you don't believe this to be the only cases where idiots us botnets. Have you not read the reports of morons hosing a network for randsom.
2b) The pros don't hose down backbones, because if a backbone is down, they can't make money from their now-disconnected botnet.
Re-read above statement
Yeah, a concerted effort probably *would* take out AS701 or similar. But we don't see it happen often, because the people who have the ability to do it also realize that while AS701 is out napping, their other business ventures are taking a hit from the lost connectivity...
For years now I contemplated how long would it be before someone created the ultimate botnet/backbone killer. I've always wondered "Hrmm... How would I COUNTER this if x happened." I've rambled on about it for I don't know 8 years now, starting with "Theories in DoS" before DDoS was really even pimped out by Dave Dittrich... People thought (probably still do think) I was (am) looney. My guess is, give or take a few years and you will get that one pissed off person to lay the smack down on peers worldwide.
When this happens (hopefully it won't), I'll sit back and ramble on some more with "that's so yesterday... I predicted it a "real long time ago" (www.infiltrated.net/chappelle.mp3) then go back to rambling on as I always do.
Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
Remote triggered BGP blackhole filtering comes to mind ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi ltering-02.pdf And if the bots are directly connected or concentrated in one point of the network, it seems to me that simple ACLs can mitigate the attack. I agree that DDoS is not likely to take down a network big enough to be called a backbone unless there is some kind of unforeseen side effects to the DDoS. --Michael Dillon
On Thu, Aug 16, 2007 at 04:00:36PM +0100, michael.dillon@bt.com wrote:
Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
Remote triggered BGP blackhole filtering comes to mind ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi ltering-02.pdf
And if the bots are directly connected or concentrated in one point of the network, it seems to me that simple ACLs can mitigate the attack.
I agree that DDoS is not likely to take down a network big enough to be called a backbone unless there is some kind of unforeseen side effects to the DDoS.
unless they are not 'in' the network and hence cant be stopped internally and have the potential to overwhelm any external interface.. these cannot be mitigated without cooperation from other networks Steve
participants (8)
-
bmanning@vacation.karoshi.com
-
Chiloé Temuco
-
J. Oquendo
-
Jason LeBlanc
-
Jeff Aitken
-
michael.dillon@bt.com
-
Stephen Wilcox
-
Valdis.Kletnieks@vt.edu