Stéphane Lee

I must acknowledge that the best anti-spam tool is Spamhaus (not SpamAssassin). They maintain a blacklist of spamming and rogue IP addresses. The listing and delisting are done promptly in a very professional manner. The listing decision and spam proofs are available on their website. If an IP address is blacklisted by Spamhaus, you can be 100% sure that it is spamming (voluntarily or unvoluntarily). Spamhaus can block 90% of the spam without any content check. I trust the Barracuda firewall to do the rest of the job.

It is very easy, these days, to launch a DDOS attack on a server or website. Thousands of computers can be controlled centrally by one person. The “zombies” get their orders usually through an IRC chat channel.

There are basically two types of denial of service attack:

1. UDP Flood

Fake UDP packets are sent to the victim server IP in order to flood its connection. You can block the packets on your firewall but the packets have already arrived and are congesting your uplink. If the attacker has more bandwidth than you, you cannot do much except contacting your uplink provider for help and who has more bandwidth to cope with the attack.

2. TCP Syn flood

The server gets too many fake syn requests (that are not getting established/acknowledged) and has no room to handle other legitimate requests. Activating syn cookies can help mitigate the attack but it is generally not enough. The bandwidth required to accomplish this attack is much less.

Third-party firewalls can mitigate the syn flood. You can even put some reverse proxies in front of your web server that will receive the syn requests. To mitigate a UDP flood, you simply have to have a bigger pipe that the attacker. It is not impossible to have a multi-gigabit attack. Even if you have a 1 Gbps uplink, you’re hosed. Your uplink provider cannot help you much if the source IP addresses are faked and random.

If you missed the news about the attack on Estonia, you can read the detailed report on Wired.

For your own enjoyment in Google Calendar, click here:

Once in a while (once in a blue moon?), I write a technical work-related post. The lingo may be hard to catch but a knowledge of networking will help. We have exceeded 240,000 routes since October and it is not getting lower. In comparison, there were less than 100k routes in 2000 and less that 175k in 2005.

A route is the advertisement of a subnet (or prefix) in BGP (border gateway protocol). The subnet can be as large as a /8 (4.0.0.0/8 for example) or small as a /24. Anything smaller than is generally filtered out. An ISP uses BGP to announce its subnets with other ISPs so that the IP addresses become reachable (pingable). The Internet is a network of ISPs connected together and communicating with BGP. An ISP can choose to announce their subnets in several /24 or aggregate them as a single route (announce one /20 instead of 16 x /24). Instead of having 244k routes today, we would have only 160k if they were aggregated properly.

Cisco uses a technique known as TCAM: ternary content addressable memory. TCAM is like RAM but very high performance and very expensive. The routing table is loaded in the TCAM. The router queries the TCAM with an IP address and it gets back the available routes. This process is very fast (in nanoseconds). The Sup720 supervisor engine in the Catalyst 6500 series is very popular. The Catalyst 6500 series has a good port density. The 6509 model has 9 slots and in one slot, you can add a blade with 48 1Gbps Ethernet RJ45 ports. For the Sup720, there is a hardware limit of 239k entries (IPv4). The default config is 192k. When the limit is exceeded, the routing is done by the software and this is much slower.

The list price for the recommended upgrade (1000k limit) is $40k but you can get a used one for $12-14k. If you do not want to upgrade, you can filter out the /24s and add a default route. This will cut the routes in half and save you some cash.