On Thu, Dec 6, 2018 at 1:32 AM Gert Doering <gert@xxxxxxxxx> wrote: > On Thu, Dec 06, 2018 at 01:14:54PM +1300, Brian E Carpenter wrote: > > > Which implies that as soon as the evil guys out there find a way to > > > generate DDoS streams carrying EHs that our border routers will (have to) > > > apply very strict rate limiting to everything they do not understand. > > > > > > - pass TCP > > > - rate-limit UDP on well-known reflective attacks port > > > - pass rest of UDP > > > - rate-limit ICMP > > > - rate-limit fragments > > > - rate-limit all the rest to something which can never exceed a > > > customer's access-link > > > > > > game over, EH > > > > Just to point out that this is equivalent to saying "game over, > > any new layer 4 protocol" too. For example, you just killed SCTP. > > And the same goes for new protocols over IPv4. > > Well. Since nobody is using SCTP, it can nicely live in the > "rate-limit all the rest to something ..." bucket... > > But yes, "any new layer 4 protocol" is likely to not work in an Internet > that is basically full of hostile packets *in high volumes*. > > Trying to run large volume traffic over UDP/443 is going to be the next > excercise in "operators told you that is isn't going to work"... Is that a prediction, or a self-fulfilling prophecy? I would certainly hope that filtering UDP/443 is not done preemptively without actual evidence that it is in fact a DDoS vector. Mike Heard
