Home page logo

nanog logo nanog mailing list archives

Re: UDP port 80 DDoS attack
From: Steve Bertrand <steve.bertrand () gmail com>
Date: Sun, 05 Feb 2012 22:40:19 -0500

On 2012.02.05 22:30, Keegan Holley wrote:
 > 2012/2/5 Steve Bertrand <steve.bertrand () gmail com
    On 2012.02.05 20 <tel:2012.02.05%2020>:37, Keegan Holley wrote:
        Source RTBH often falls victim to rapidly changing or spoofed
        source IP"s.
        It also isn't as widely supported as it should be. I never said
        DDOS was
        hopeless, there just aren't a wealth of defenses against it.

    This is so very easily automated. Even if you don't actually want to
    trigger the routes automatically, finding the sources you want to
    blackhole is as simple as a monitor port, tcpdump and some basic Perl.

This is still vulnerable to spoofing which could cause you to filter
legitimate traffic and make the problem worse.  Not saying that S/RTBH
is a bad idea.  RTBH is effective and a great idea just not very elegant.

Agreed. Diligence does play a role. However, the times I have implemented and used (s/)RTBH, I thought it was most elegant. I love its simplicity and effectiveness.

    ...and as far as this not having been deployed in many ISPs (per
    your next message)... their mitigation strategies should be asked up
    front, and if they don't have any (or don't know what you speak of),
    find a new ISP.

You sometimes have to weigh the pro's and cons.  You can't always pick
the guys with the coolest knobs.

Agreed. But to me, DDOS mitigation is not just a cool knob. If my ISP can help mitigate a 1Gb onslaught so my 100Mb pipe isn't overwhelmed, that's more functional than cool. Ranks right up there with IPv6 ;)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]