[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DDoS Mitigation Survey
On Mon, 7 Mar 2005, Pekka Savola wrote:
> On Mon, 7 Mar 2005, Christopher L. Morrow wrote:
> > Loose should provide you the ability to 'anti-spoof' a customer link,
> > where 'anti-spoof' would mean: "drop anything not in the global table, or
> > which has an adjacency which is 'discard'" (discard/null/bad/reject...
> > invalid) This seems nice, but the trade-off isn't something I see
> > worthwhile if your gear can't do this in hardware. uRPF can be very, very
> > dangerous on software based platforms :(
>
> But this isn't "anti-spoof" at all, because the customer can just
> spoof a _routed_ address instead. Maybe it could be characterized as,
> "the customer sending us traffic it definitely shouldn't be sending
> us", triggering investigation what's going on.
yes, see the lower-down comment in the original email: "Cost trade off
hasn't made this option very useful for us"
>
> But as you state, the customers typically send you private IP
> addresses etc. as well, so this is more of a check whether the
> customer has done some amount of filtering himself, nothing more.
>
Correct, interesting also are the folks with 'broken' vpn clients that
don't properly NAT/tunnel their source addresses :( breaking them with
uRPF is 'bad' :(
> This is what RFC3704 section 2.4 says:
>
> If other approaches are unsuitable, loose RPF could be used as a form
> of contract verification: the other network is presumably certifying
> that it has provided appropriate ingress filtering rules, so the
> network doing the filtering need only verify the fact and react if
> any packets which would show a breach in the contract are detected.
> Of course, this mechanism would only show if the source addresses
> used are "martian" or other unrouted addresses -- not if they are
> from someone else's address space.
>
> .. but this has nothing to do with real anti-spoofing..
>
'loose anti spoofing'... it's lame, and provides only the protections you
are aware of, that and the ability to use RTBH triggers to drop sources...