On Fri, Mar 16, 2018 at 11:41 AM, Dino Farinacci <farina...@gmail.com> wrote: >> Detecting that something is under DOS attack is not problem. It’s > > I do think it is a problem. Because you can’t tell sometimes if it is a > high-rate due to high demand from good actors. From the mapping system’s > perspective, you don’t know the traffic patterns so you don’t know that if a > source-EID wants to talk to 100 EIDs if that is a good actor or a bad actor. > If that source-EID is my phone, then it may be suspect, but if it’s a Google > server talking to 100 phones, that is pretty normal. > >> pretty obvious when a device is getting flooded which a bunch of >> spoofed SYNs for example. The problem is trying to find that one SYN >> packet in a thousand that is not part of the attack and is actually > > Right, at cisco, we called that “the needle in the haystack problem”. And it > comes up when we talk about topics of “punt path” in routers and DoS attacks. > >> legitimate. Again this is not easy because the attacker is purposely >> trying to prevent this determination. AFAIK this is a generally > > Yep, that’s right. > >> unsolved problem and probably impossible to fully solve. So if the > > Agree. We should look at the honey-pot solutions that DNS has used. But its a > different animal though than packet attacks. > >> reaction to the attack is to stop all requests and that one legitimate >> flow is blocked from making progress, then it would seen the DOS >> attack is successful. > > That isn’t what would happen with the frequency-hopping idea. If the > map-resolver is aggressive in dropping and it drops the needles, those ITRs > have a back-up or parallel plan to get their requests resolved from other > map-resolvers in the mapping system. Be them part of an anycast group or not. > Dino,
Such complexity is why I am still keen on the redirect model for a mapping system. An ILA cache is an optional element and the control plane is never inline with packet forwarding and packets are not dropped on a cache miss. Neither does the generate request packets for bogus addresses that can't resolved. These properties bound the worse case DOS attack to be that legitimate traffic takes an unoptimized route but is not blocked nor dropped. Conservatively, this does require provisioning ILA-Rs to handle the full load if necessary to be robust. Tom > Dino > > > > > _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp