[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DDoS Mitigation Survey



On Mon, 7 Mar 2005, Pekka Savola wrote:

> On Mon, 7 Mar 2005, Christopher L. Morrow wrote:
> > Loose should provide you the ability to 'anti-spoof' a customer link,
> > where 'anti-spoof' would mean: "drop anything not in the global table, or
> > which has an adjacency which is 'discard'" (discard/null/bad/reject...
> > invalid) This seems nice, but the trade-off isn't something I see
> > worthwhile if your gear can't do this in hardware. uRPF can be very, very
> > dangerous on software based platforms :(
>
> But this isn't "anti-spoof" at all, because the customer can just
> spoof a _routed_ address instead.  Maybe it could be characterized as,
> "the customer sending us traffic it definitely shouldn't be sending
> us", triggering investigation what's going on.

yes, see the lower-down comment in the original email: "Cost trade off
hasn't made this option very useful for us"

>
> But as you state, the customers typically send you private IP
> addresses etc. as well, so this is more of a check whether the
> customer has done some amount of filtering himself, nothing more.
>

Correct, interesting also are the folks with 'broken' vpn clients that
don't properly NAT/tunnel their source addresses :( breaking them with
uRPF is 'bad' :(

> This is what RFC3704 section 2.4 says:
>
>     If other approaches are unsuitable, loose RPF could be used as a form
>     of contract verification: the other network is presumably certifying
>     that it has provided appropriate ingress filtering rules, so the
>     network doing the filtering need only verify the fact and react if
>     any packets which would show a breach in the contract are detected.
>     Of course, this mechanism would only show if the source addresses
>     used are "martian" or other unrouted addresses -- not if they are
>     from someone else's address space.
>
> .. but this has nothing to do with real anti-spoofing..
>

'loose anti spoofing'... it's lame, and provides only the protections you
are aware of, that and the ability to use RTBH triggers to drop sources...