Re: engineering --> ddos and flooding

[Valdis.Kletnieks () vt edu]

On Mon, 04 Jun 2001 12:20:41 EDT, Paul Johnson <pjohnson () bosconet org>  said:
> Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their
> networks in such a way that it can never DoS a T-1 (or E-1 if you are
> not in the US). [note: I'm not sure if ciso's are up for this workload
> since I primarily work with Juniper.]

Hmm.. I'd be *REALLY* unhappy if our upstream decided to rate-limit SYN
packets to prevent a DoS of a T-1, since the smallest pipe we have
deployed is in the OC-3 category.

The problem is that a *distributed* DOS effectively bypasses this sort
of check - you have (for instance) 1000 zombie machines, each contributing
only a few packets per second.  So none of THEM gets filtered.  Each ISP
may have only 3-4 zombies, so even aggregated they don't trigger a filter.

Nothing trips a filter, until it gets loose inside a Tier-1, with traffic
converging on one outbound pipe to the victim from 8 or 10 different
peering points.  And at THAT point, it's too late.

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech