[afnog] [AfrISPA.Discuss] Securing our network
Global One Solution
malabow at gmail.com
Fri May 2 19:26:49 UTC 2008
Mark,
You hit on the nail, this is the most effects way ISP can sort of fight
attack, I expect more attack in Africa, if EASSY or TEAMS project goes
successful and more people get on line. It''s easy to handle when the
client has circuit, like private-line, but it has to be hard to manage DSL
customers.
Good discussion :)
On Thu, May 1, 2008 at 10:59 PM, Mark Tinka <mtinka at globaltransit.net>
wrote:
> On Monday 28 April 2008, Global One Solution wrote:
>
> > I am sure you know well, ACL alone does not protect you
> > ANYTHING, unless you willing to block legitimate traffic.
> > You are really in the mercy of your ISP. If your ISP is
> > not placing the ACL in the edge router, what good your
> > ACL will do? all the hacker need is a way to flood your
> > link, and they can take you tout of service. so let's say
> > you even place CiscoGuard(which i agree it's expensive)
> > and i m not saying this is the solution, but even if you
> > place some intelligent device in behind your CE router,
> > you will not be given the opportunity to study the health
> > of the packet, since the hackers goal is just to take you
> > out of service. I am really advocate a VERY close
> > relationship between the *customer *and *ISP*. RTB
> > (Remote Trigger Blockhole) is also another feature that
> > kind of helps clients
>
> Protecting against DoS and DDoS is not easy and is as much
> dependent on good networking practices as it is excellent
> NOC procedures.
>
> The first thing to have is the right tools, tools that will
> help detect anomalies quickly, e.g., NetFlow, cFlowd, MRTG,
> Cacti, Ourmon, Nfsen, commercial products, e.t.c.
>
> Once you have that, having a trained NOC that knows what to
> do, step-for-step, is crucial. If your NOC are slow or do
> not have proper procedures to follow, all your fancy
> equipment is useless.
>
> The next is looking at how best to mitigate the attacks.
> Larger ISP's do this with money, i.e., use hardware-based
> routers (forwarding packets using ASIC's and/or network
> processors, rather than software processes) + huge
> bandwidth. Probably not an option for a small ISP, but then
> again, typically, large and small ISP's see different
> attack profiles (although you shouldn't always take this
> for granted).
>
> For customers whose upstreams have fat pipes and big
> hardware-based platforms, you can purchase anti-DoS
> services where the upstreams will have a fairly low
> utilization threshold, e.g., 40% (or more) of all bandwidth
> should remain available at all times. They can then use
> this extra bandwidth to suppress any attacks heading your
> way, thereby freeing up YOUR pipe to them.
>
> Note that destination-based blackholing is faster to
> implement, but, for all intents and purposes, completes the
> DoS attack anyway :-).
>
> Source-based blackholing is possible, but harder as many
> attacks these days are DDoS-based, i.e., the attack
> originates from multiple sources.
>
> Simple things you can do within your network to mitigate the
> spread of such occurrences (in addition to the points in
> the first few paragraphs, above):
>
> 1. Deploy BCP-38 on your border, peering and edge routers.
>
> 2. Compliment this with RFC 1918 blocking.
>
> 3. Add RFC 3330 blocking.
>
> 4. Use uRPF (loose and/or strict, depending on where you
> place it).
>
> 5. Use prefix lists or route filters for BGP sessions with
> your customers (remember the PCCW-PTA incident?).
>
> 6. Have a community-based blackhole policy, with a dedicated
> blackhole router, i.e., remote-triggered blackholing, as
> you mention above.
>
> 7. Use RPSL to manage external peering filters.
>
> Cheers,
>
> Mark.
>
--
Liban Mohamed
Global One Solution
www.globalonesolutions.net
malabow at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20080502/9e2fea02/attachment-0002.html>
More information about the afnog
mailing list