On 2018-12-05 21:52, Gert Doering wrote:
> Hi,
>
> On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote:
>> HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
>> coming nx400G ... there's just not a reasonable story for "dpi" there. (I
>> suppose: "yet" and "without paying the approximate value Coca-Cola
>> Companies yearly advertising budget")
>
> Indeed.
>
> Unfortunately, there *is* a story for being able to rate-limit incoming
> crap by protocol type - "give me no more than 200 Mbit/s of UDP packets
> coming from source port 53".
>
> Which implies that as soon as the evil guys out there find a way to
> generate DDoS streams carrying EHs that our border routers will (have to)
> apply very strict rate limiting to everything they do not understand.
>
> - pass TCP
> - rate-limit UDP on well-known reflective attacks port
> - pass rest of UDP
> - rate-limit ICMP
> - rate-limit fragments
> - rate-limit all the rest to something which can never exceed a customer's
> access-link
>
> game over, EH
Just to point out that this is equivalent to saying "game over, any new layer 4 protocol" too. For example, you just killed SCTP. And the same goes for new protocols over IPv4.
Brian
> (We're not doing this today, because as of today, "volume DDoS" comes in
> without EHs [except fragment] - but this is just a matter of time)
>
> Gert Doering
> -- NetMaster
>
