Hi,
On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote:
> HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
> coming nx400G ... there's just not a reasonable story for "dpi" there. (I
> suppose: "yet" and "without paying the approximate value Coca-Cola
> Companies yearly advertising budget")
Indeed.
Unfortunately, there *is* a story for being able to rate-limit incoming
crap by protocol type - "give me no more than 200 Mbit/s of UDP packets
coming from source port 53".
Which implies that as soon as the evil guys out there find a way to
generate DDoS streams carrying EHs that our border routers will (have to)
apply very strict rate limiting to everything they do not understand.
- pass TCP
- rate-limit UDP on well-known reflective attacks port
- pass rest of UDP
- rate-limit ICMP
- rate-limit fragments
- rate-limit all the rest to something which can never exceed a customer's
access-link
game over, EH
(We're not doing this today, because as of today, "volume DDoS" comes in
without EHs [except fragment] - but this is just a matter of time)
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
