Whilst I may agree that an IXP is not able to do the task I still think that an IXP is an exeptionel ideal place to put some anti-ddos hardware.
To protect yourself against ddos you have to place a lot of boxes all over your network. Especially where you have links to other networks. So you have to have a box at an IXP anyway. A box at an IXP could run as a shared service. So the members themselves still have to say what they think ddos is. Regards, Arnold ----- Original Message ----- From: "Andre Oppermann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 05, 2002 5:45 PM Subject: Re: [swinog] dDoS and spoofing... > Pascal Gloor wrote: > > > > I know how huge this can be, but I think its now time to go forward and to > > find a global solution to STOP this definively or at leave know how to stop > > when it occurs... > > You need a driving license to dirve on the road, but we have no 'laws' on > > the net... I know the internet is considered as free, open, etc... but I m > > sure we all agree that we need to find a solution... a good starting point > > would be the IXPs we have. Paolo, Andre, what are you peak bandwidth on > > your IX switches? Is ther any technical way to collect datas? > > In my opinion the IXPs are not a good place to monitor or filter such > things. First of all my service is *not* to interfere with the IP > traffic. As an IXP I only give the ISPs a common layer 2 switch where > you can exchange traffic. Another major problem is that the IXPs > don't see that much traffic and even the traffic we see is only > the local one between ISPs. So our test set isn't nearly large > enough to detect a DDoS. Probably most of the traffic will clog > your upstreams. Next is who decides what actually is a DDoS and > not just high demand due to some extraordinary or even planned > event? As and IXP we don't have enough insight to distinguish good > from bad. Another problem, do all ISPs connected to an IXP have to > participate and subscribe to that monitoring? And what happens > if we dectect a DoS coming from one ISP? Shall we shut down the > port? Filter certain IP addresses? With all this we introduce even > more ways to DoS the Internet because someone knowledgeable would > simply trigger these detectors and then the DoS is no longer the > traffic overload but the DoS filter. > > In the end we come to the Australian paradoxon. Do we really solve > the rabbit problem by putting foxes there? Or do the foxes simply > kill other, much easier to hunt animals and then we have a rabbit > and fox problem? > > Here and also with all that Terrorists hype we have to be careful > that the cure is not worse than the disease. > > -- > Andre > ---------------------------------------------- > [EMAIL PROTECTED] Maillist-Archive: > http://www.mail-archive.com/swinog%40swinog.ch/ > ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
