Arnold, Nico,
Let suppose to have Arbor or any other "profesional anti-DDos tool" and that the tool tell me: you have an attack of (almost) 1Gbps towards IP address x.y.z.w. What do you do now? You still have hundreds of Mbps coming from many ingress points, all this flows aggregate then towards the x.y.z.w and fill your links, the attacked customer is completely down, other customers are impacted as well. The only way I see to solve this is to blackhole that traffic at the ingress points, this has the following consequences:
- all other customers can work again
- the attacked customer can (at least) work with all other IP addresses
- as it is a DDos, the ingress links are not filled up, no issue here
Nico, by the way, maybe I'm wrong but Arbor is a detection system that detects DDos and propose you access-lists to configure on the border.....so in fact they are doing the same as blackholing. Do you have maybe different info?
Trying to stop the DDos traffic at the source is almost impossible, you have to contact many different networks and ask them to trace back to the source. I did it friday night (I sent also e-mails on specialised security mailing lists) and I received just two answers and not from the biggest sources.
From my point of view, Arbor tools are very usefull in the detection, you can save a lot of time and react faster, but the only solution I see afterwards is to blackhole the traffic.
Regards Mic
>Since the traffic come thru your edge anyway whats the point of blackholing ? Did you ever heard >Arbor Networks.
>
>Cu,
>
>
>Nico
>
>
>>>On 02.08.2004 09:08 Michele Marazza wrote:
>>>
>>>
>>>
>>>
>>> Of course, (if someone lived such DDOSs can probably confirm) it tooked me some time before >>>I could find THE /32 that was attacked and blackhole it at our borders.
>>>
>>>
>>
>>
>>aren't you deploying professionell Anti-DDoS solutions? Blackholing
>>traffic has the same effect than attacking (at least for the victim).
>>
>>
>>
>>
>>>Arnold
--
Michele Marazza / IP-Plus Engineering / www.ip-plus.net / Swisscom Enterprise Solutions
_______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
