Home page logo
/

nanog logo nanog mailing list archives

Re: UDP port 80 DDoS attack
From: Mark Andrews <marka () isc org>
Date: Thu, 09 Feb 2012 09:14:22 +1100


In message <596B74B410EE6B4CA8A30C3AF1A155EA09CBE561 () RWC-MBX1 corp seven com>, G
eorge Bonser writes:


-----Original Message-----
From: christopher.morrow
=20
to be fair: "Some Providers do not check registries for 'right to use'
information about prefixes their customers wish to announce to them
over BGP."

Maybe not but I would think that in practice it would be something like:

1. Provider initially filters traffic based on the address range they have =
issued to the customer.
2. If the customer brings their own IP addresses, the provider does a quick=
 check to see if those have been SWIPed to the customer
3. If the customer wants the filtration opened up to include additional IPs=
, the do the same as #2
4. If the customer has no record of having control of those IPs, a quick ca=
ll to the listed assignee of those numbers would verify that the customer i=
s mutual and is properly sourcing traffic in that IP range and filters are =
adjusted accordingly.=20

In about 99% of cases that would be the end of the story and everything run=
s merrily along after that.  Sure, there are going to be corner cases but i=
f someone starts playing whack-a-mole with IP address assignments and is as=
king for frequent changes, that might be a tip-off that they might be troub=
le.

It *does* involve maintaining some record of the configuration settings som=
eplace in case of equipment changes/failures, etc. but that would be a smal=
l price to pay for reducing the amount of time spent chasing DoS complaints=
.  It has to be a community effort with a set of best practices developed a=
nd applied by the community. =20

And with cryptographically signed assignments this can be completely
automated.  Tie the DHCPv6 server into the RPKI system and DHCPv6
PD can do the right stuff so that the other ISP serving the customer
can know that these address are legal from the customer.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault