Re: UDP port 80 DDoS attack

["Dobbins, Roland" <rdobbins () arbor net>]

On Feb 8, 2012, at 2:56 PM, bas wrote:

> The big drawback with S/RTBH is that it is a DoS method in itself.

I'm not an advocate of *automated* S/RTBH, and I am an advocate of whitelisting various well-known 'golden 
networks/IPs' via prefix-lists in order to avoid this issue in part; also, note that the concept of partial service 
recovery incorporates the notion of some legitimate traffic/users being blocked in order to maintain the availability 
of the targeted server/service/application for the majority of legitimate traffic/users. 

Also note that S/RTBH isn't a universal panacea; it's just one tool in the toolbox.  flowspec is more flexible due to 
its layer-4 granularity; and other types of tools such as IDMS are even more flexible and incorporate much richer 
classification technology.

It's important to understand that this isn't a theoretical discussion - I've personally utilized/helped others to 
utilize S/RTBH to successfully mitigate large-scale DDoS attacks, and it's a lowest-common-denominator in terms of a 
somewhat dynamic mitigation mechanism.  Let's not make the perfect the enemy of the merely good.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton