Firewall Wizards mailing list archives

re: Why blocking bogons buys you nothing

From: Mike Hoskins <mike () adept org>
Date: Mon, 10 Nov 2003 15:44:51 -0800 (PST)

From: Mikael Olsson <mikael.olsson () clavister com>
To: Barney Wolff <barney () databus com>
Cc: firewall-wizards () honor icsalabs com
Barney Wolff wrote:

On Sun, Nov 09, 2003 at 07:07:10PM +0100, Mikael Olsson wrote:

40-50% is not "significant" for a DDoS in my opinion. Especially
not if you're doing it on the wrong end of your Internet connection.

Depends on your goal.  If your goal is immunity from every DDoS, yes.
But that goal is unattainable by any means.  If your goal is to reduce
the frequency of outages caused by DDoS, 50% is significant, because
not every attack will come from the most powerful attacker.


50%...  How long is a piece of string?  Like Barney tried to point out,
50% can be a whole lot (wrt local server bandwidth).

And not every attack will come from DDoS slaves that spoof their
source IPs.  And not all of the spoofing slaves will use completely
random source IPs.


He didn't say they would, unlike you who tried to say something does
absolutely no good for everyone all the time.  The point is, you drew some
good conclusions but tried to make it apply everywhere all the time.
That's not the way the world works, epsecially the networking world.  What
you need to do is be intelligent and think about the pros and cons of what
you implement on your networks.  What applies at one site may not apply at
another, blah blah blah.  So, a good study, but one that needs to be read
with "common sense" like any other.

I've been on the receiving end of about half a dozen DDoSes so far.
None of them used randomized addresses.


"A grenade landed about 15 ft. from me once and I escaped unscathed...
Therefore, I let people throw grenades at me all the time."

Be as cautious as you wish with your network, and I'll do the same.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Why blocking bogons buys you nothing Eric Vyncke (Nov 05)
- <Possible follow-ups>
- Re: Why blocking bogons buys you nothing Mikael Olsson (Nov 06)
- re: Why blocking bogons buys you nothing Mike Hoskins (Nov 11)