On 1 Sep 2018, at 1:35, Aaron Gould wrote:

I may mark internet-sourced-udp with a certain marking dscp/exp so that as it travels through my internet network, it will be the first to get dropped (? Wred ? work well for udp?) during congestion when an attack gets through

You can use flow telemetry analysis to look at the UDP non-initial fragments destined for any access networks under your control; you'll likely see that they comprise a tiny portion of the overall traffic mix, and they're most commonly associated with large DNS answers.

Once you've determined the numbers, you can police down the non-initial fragments destined for the access networks you control (don't do this on transit traffic!) to whatever small percentage makes the most sense, with a bit of extra headroom. 1% of link bandwidth works for several operators.

In that QoS policy, you exempt well-known/well-run open DNS recursor farms like Google DNS, OpenDNS, et. al. (and possibly your own, depending on your topology, etc.), and any other legitimate source CIDRs which generate appreciable amounts of non-initial fragments.

When a reflection/amplification attack which involves non-initial fragments hits, the QoS policy will sink a significant proportion of the attack. It doesn't help with your peering links, but keeps the traffic off your core and off the large network(s).

Again, don't apply this across-the-board; only do it for access networks within your span of administrative control.

* btw, what can you experts tell me about tcp-based volumetric attacks...

TCP reflection/amplification.

-----------------------------------
Roland Dobbins <rdobb...@arbor.net>

Reply via email to