Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 557026
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

"No, not at all. Ingress and egress filtering does not prevent multi-homing."

Depends on the type of multihoming. One type is to NAT traffic across different IPs, but that might be worse than shared IP hultihoming for certain things, esp like VOIP where you really want to use one IP and let the network determine the shortest path on it's own. Admittedly this is probably very uncommon outside of the enterprise, and not very useful without the help of the ISP to cooperate in advertising your own IP routes through them.

My understanding is that many services, including the root nameservers employ this kind of shared IP address multihoming today in order to increase redundancy and decrease latency.



"Why would I 'filter out this IP'?"

I may have misunderstood you then, I thought you were advocating blocking externally generated inbound traffic from your peers based on source IP, which is what I'm refuting the benefit of.

http://www.osnews.com/thread?557011

If I misread that it could explain our disagreement ;)

Edited 2013-03-29 06:08 UTC

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

I thought you were advocating blocking externally generated inbound traffic from your peers based on source IP, which is what I'm refuting the benefit of.


Yes, that could be done if I'm peering at an internet exchange, for example. In that case I most likely know from my peers announcements what source IP's they should have and I could reliable use that information for filtering.

If on the other hand, I'm and end-user and only have upstream peers, filtering on source IP would be mostly futile with the exception of not accepting external traffic with a source from within your own network.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Soulbender,

"Yes, that could be done if I'm peering at an internet exchange, for example. In that case I most likely know from my peers announcements what source IP's they should have and I could reliable use that information for filtering."

I doubt that'd ever be very useful in practice because it's going to be very unlikely to find any IP addresses that Cogent can route to and HE cannot. Both networks could legitimately send traffic to and from Spamhaus IPs under various network scenarios. Your router, as a recipient of a packet that appears to be from Spamhaus, is fundamentally unable to determine whether the packet is from Spamhaus or not based on the interface it arrived from. This is the basis of the internet's redundancy and is usually a good thing.

Reply Parent Score: 2