Internet2 Network Security SIG

["Spurling, Shannon" <>]

I'd like to address the concerns about the RBH concerns, and also the notion 
that scrubbing being a provider function. 

The cool thing with a service like UTRS, is that it only kills a single IP, 
which is what I have seen most DDOS's target. It's rare to see more than one 
target IP per attack, and if the attack changes focus, almost always the old 
flows disappear rather quickly. Sure, you move the target and it follows, but 
that kind of gives an indication that there is some sort of collusion on site 
that needs to be dealt with and maybe traced. The bad thing is, I think most 
of us could provide a /27 per k12 site. It doesn't have to be a single public 
NAT, but it is in most cases. That makes them easy targets.  I've had schools 
with /24 allocations using a single public NAT. Something is just not right 
there.

I have also seen a bunch of port 80 SYN attacks. This is where scrubbing 
would be pivotal. Thing is, as a provider, do you just dump the SYN's and 
assume the downstream is single hosted or would not have an asymmetric path? 
I would think you would have to have some way to look inside the packets and 
figure out if they were valid. That is difficult and costly at the provider 
level, if not next to impossible. It's hard enough at the site edge. 

If a single IP is too coarse of a block, there was talk in UTRS of looking 
into using BGP FlowSpec in the system to block ports or do rate limiting. The 
ports would be easy, the defining of remote rate limits would be tricky at 
best. I think something like that would be one of the most elegant solutions, 
but you would need broad community support for a FlowSpec configuration.  The 
community aspect of UTRS really makes it the most effective solution I have 
seen. Clean up the garbage before it impacts the network.

 



Shannon Spurling



-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Michael H Lambert
Sent: Thursday, October 22, 2015 10:53 AM
To: Spurling, Shannon
Cc: Cas D'Angelo; Steven Wallace; 
;
 Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
Subject: Re: [Security-WG] fast track for DDoS recommendations to Internet2, 
and a bit more...

> On 20 Oct 2015, at 12:06, Spurling, Shannon 
> <>
>  wrote:
> 
> Personally, I’m not sold on scrubbing. Sometimes it’s best to scuttle the 
> IP during the attack and adopt some edge based practices that let you have 
> some flexibility at the edge. Some of the lamest (as far as target value or 
> reason behind it) DDOS’s are enormous, and I don’t see any way to 
> effectively scrub them out. Then there’s the camouflaged ones, where you 
> would need something application or state aware to properly remove the bad 
> traffic. That is very computationally expensive.

I also have reservations about scrubbing.  To me it's just paying a 
third-party to do what your provider should be doing as part of their basic 
service (ie, filtering on ingress).  Black hole routes are too broad 
(essentially a concession to the attacker).  There may be promise in 
flowspec, but only if providers are willing to push it to their edge.

Michael