On Jan 30, 2008 10:10 AM, Jeremy Jackson <[EMAIL PROTECTED]> wrote: > Take a look at IKE, the Internet Key Exchange protocol used in IPSEC. > It issues a challenge-response to weed out spoofed addresses. So, it > has DDoS protection built in. Sadly, most legacy protocols don't. TCP > has had RST and SYN cookies "hacked" into it, as well as MD5 preshared > keys. > > The basic security flaw of the internet is the DDoS, a flood of packets > with spoofed source addresses. I don't know of any backbone networks > which do ingress filtering, so most of the time you need to take the > approach of IPSEC. If your connection is filled up by the resulting > traffic, well then you're out of luck. > > It is possible to mitigate a DDoS flood from "the internet", if your > network (Autonomous System) has some non-transit peers, such as private > peering, or public peering at an internet exchange. Your network (or > preferably your peer's) can do address filtering, such that spoofed > addresses are minimized. You can then prioritize those peers/networks > such that a flood from "the internet" will only cut off traffic from > "the internet", and your peer networks with the hightened security > (ingress filtering) can enjoy un-interrupted VOIP (and other services). > > To be clear, I believe the DDoS issues can only be addressed at the > Autonomous System level, which is typically an ISP or large hosting > company. > > Regards, > > Jeremy >
Jeremy, Most carriers that provide you with a BGP session can provide this service. Some do for free, some do for fee. When setting up BGP with Cogent, for example, you can opt-in (for free) to create a second BGP session to a blackhole server. You can advertise /32s to that server and have traffic to it blackholed at Cogent's backbone. Apparently at least Verizon Biz (old MCI/UUNET) also provides this for a fee (probably with to/from AS/IP/etc matching). With a service like this, enough upstream carriers, and some stupid BGP tricks (AS Path prepending, setting communities, etc) you can make it through most DDoS/DoS attacks. Then again if it is big or sophisticated enough nothing short of a massive CDN (Akamai, etc) will help you. I don't think they do VoIP yet ;)... After all - even with all the application intelligence, packet filtering, etc, in most cases by the time you get the packet to evaluate it, it's too late - it's already been sent and used your resources (bandwidth, CPU, etc). Now all you can do is chose how to respond to it (if at all). There has been some discussion on NANOG about this over the last few days. Well worth the read. -- Kristian Kielhofner _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
