On Fri, Mar 16, 2018 at 11:08 AM, Dino Farinacci <farina...@gmail.com> wrote:
> Sorry about that but I did say from the Map-Resolver perspective. That is, 
> the node that receives Map-Requests from good acting ITRs/RTRs as well as bad 
> actors. “You” are the good and bad actors where we can’t tell one from the 
> other (other than good actors follow the spec in rate-limiting the 
> Map-Requests they send).
> Better?
> The “too …” depends on bandwidth and processing power into and in the 
> map-resolver.
> No normative description yet. Just ideas that I have been talking to people 
> about. Dave Meyer has thought about this and how ML can help tell us when we 
> have deviated from a baseline of “normal behavior”. So we can go into 
> frequency-hopping mode when we deviate by %x.

Detecting that something is under DOS attack is not problem. It's
pretty obvious when a device is getting flooded which a bunch of
spoofed SYNs for example. The problem is trying to find that one SYN
packet in a thousand that is not part of the attack and is actually
legitimate. Again this is not easy because the attacker is purposely
trying to prevent this determination. AFAIK this is a generally
unsolved problem and probably impossible to fully solve. So if the
reaction to the attack is to stop all requests and that one legitimate
flow is blocked from making progress, then it would seen the DOS
attack is successful.


lisp mailing list

Reply via email to