Re: Yahoo! Lessons Learned
i am rather amused at folk who fear dialup systems being used as ddos slaves.
I'm more worried about a master being connected there. Remember, with at least one of the tools you can trigger the "slaves" via forged ICMP reply messages. It doesn't take a fat pipe to do that and it makes finding the perp that much harder, especially since dial connections are generally more anonymous. Yes, we have tested "source validation" in our live dial network. Yes, there is a performance impact. "Can do" or "Can't do" depends on how many dial customers you are trying to pile into one box, and what equipment you are using. Also, ingress filtering one-hop-up isn't necessarily so easy. Some of us will dynamically route prefixes other than /32 to certain dial customers. This complicates things.
Yes, we have tested "source validation" in our live dial network. Yes, there is a performance impact. "Can do" or "Can't do" depends on how many dial customers you are trying to pile into one box, and what equipment you are using.
yup.
Also, ingress filtering one-hop-up isn't necessarily so easy. Some of us will dynamically route prefixes other than /32 to certain dial customers. This complicates things.
yup. and worse, sometimes one does not have control over the cpe, and the next hop, the pop aggragation box, is getting highly aggregated telco with hundreds of dedicated customers per physical interface. hence one can run into the not-enough-horses-to-packet-filter condition on the first level aggregation. randy
participants (2)
-
Randy Bush -
robert@UU.NET