On Fri, Mar 16, 2018 at 11:08 AM, Dino Farinacci <farina...@gmail.com> wrote: > Sorry about that but I did say from the Map-Resolver perspective. That is, > the node that receives Map-Requests from good acting ITRs/RTRs as well as bad > actors. “You” are the good and bad actors where we can’t tell one from the > other (other than good actors follow the spec in rate-limiting the > Map-Requests they send). > > Better? > > The “too …” depends on bandwidth and processing power into and in the > map-resolver. > > No normative description yet. Just ideas that I have been talking to people > about. Dave Meyer has thought about this and how ML can help tell us when we > have deviated from a baseline of “normal behavior”. So we can go into > frequency-hopping mode when we deviate by %x. > Dino,
Detecting that something is under DOS attack is not problem. It's pretty obvious when a device is getting flooded which a bunch of spoofed SYNs for example. The problem is trying to find that one SYN packet in a thousand that is not part of the attack and is actually legitimate. Again this is not easy because the attacker is purposely trying to prevent this determination. AFAIK this is a generally unsolved problem and probably impossible to fully solve. So if the reaction to the attack is to stop all requests and that one legitimate flow is blocked from making progress, then it would seen the DOS attack is successful. Tom _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp
