Re: [SECURITY] Application layer attacks/DDoS attacks
Application layer DDoS attacks , in most (all?) cases require a valid TCP/IP connection, therefore are not spoofed and BCP38 is irrelevant Sent from Steve's iPhone
On May 25, 2015, at 8:00 AM, nanog-request@nanog.org wrote:
Send NANOG mailing list submissions to nanog@nanog.org
To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request@nanog.org
You can reach the person managing the list at nanog-owner@nanog.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..."
Today's Topics:
1. Re: [SECURITY] Application layer attacks/DDoS attacks (Christopher Morrow) 2. Re: [SECURITY] Application layer attacks/DDoS attacks (Ramy Hashish) 3. Re: [SECURITY] Application layer attacks/DDoS attacks (Randy Bush)
----------------------------------------------------------------------
Message: 1 Date: Sun, 24 May 2015 23:01:50 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: jim deleskie <deleskie@gmail.com> Cc: Ramy Hashish <ramy.ihashish@gmail.com>, NANOG list <nanog@nanog.org> Subject: Re: [SECURITY] Application layer attacks/DDoS attacks Message-ID: <CAL9jLaYf7v-NG_1qGEHtHhASOD6Vea5VJCSJcWhS29GPcRuzPg@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Sat, May 23, 2015 at 9:12 PM, jim deleskie <deleskie@gmail.com> wrote:
However, the trusted network initiative might be a good approach to start influencing operators to apply anti-spoofing mechanisms.
explain how you think the 'trusted network initiative' matters in the slightest?
-chris
------------------------------
Message: 2 Date: Mon, 25 May 2015 06:48:41 +0200 From: Ramy Hashish <ramy.ihashish@gmail.com> To: morrowc.lists@gmail.com, nanog@nanog.org Subject: Re: [SECURITY] Application layer attacks/DDoS attacks Message-ID: <CAOLsBOt_SOwHLZVRgb31nMMX5isiS8rkXojUpP9NyNVU05Dw9w@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
The idea of restricting access to a certain content during an attack on the "trusted networks" only will make all interested ISPs be more "trusted"
Ramy
On Mon, May 25, 2015 at 5:01 AM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
On Sat, May 23, 2015 at 9:12 PM, jim deleskie <deleskie@gmail.com> wrote:
However, the trusted network initiative might be a good approach to start influencing operators to apply anti-spoofing mechanisms.
explain how you think the 'trusted network initiative' matters in the slightest?
-chris
------------------------------
Message: 3 Date: Mon, 25 May 2015 15:18:43 +0900 From: Randy Bush <randy@psg.com> To: Ramy Hashish <ramy.ihashish@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: [SECURITY] Application layer attacks/DDoS attacks Message-ID: <m2r3q5b2nw.wl%randy@psg.com> Content-Type: text/plain; charset=US-ASCII
The idea of restricting access to a certain content during an attack on the "trusted networks" only will make all interested ISPs be more "trusted"
don't the lawyers already have enough money?
End of NANOG Digest, Vol 88, Issue 25 *************************************
On 25 May 2015, at 20:31, Steve via NANOG wrote:
Application layer DDoS attacks , in most (all?) cases require a valid TCP/IP connection
DNS query-floods are a notable exception. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Application layer DDoS attacks , in most (all?) cases require a valid TCP/IP connection DNS query-floods are a notable exception.
may i remind you of the dns query flood i had which you helped research? udp and tcp, from the same sources. randy
On 26 May 2015, at 4:27, Randy Bush wrote:
may i remind you of the dns query flood i had which you helped research? udp and tcp, from the same sources.
Yes - we determined that the TCP-based queries were a result of RRL, which is optimized to help with spoofed reflection/amplification attacks, but isn't intended to handle non-spoofed query-floods (hence S/RTBH, flowspec, IDMS, et. al.) like the particular ANY query-flood directed at your auths. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
participants (3)
-
Randy Bush -
Roland Dobbins -
Steve