Mailing List Archive

SRTBH
Since Flowspec arrived, are there any uses for SRTBH?

Anyone using TrinityCyber, them use a different approach to IDS and is not
strictly signature based but more TTPs? Write up appear to be good, curious
if anyone is using their products?


Mike
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SRTBH [ In reply to ]
Hi,

On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp wrote:
> Since Flowspec arrived, are there any uses for SRTBH?

Scaling?

My understanding of flowspec is that it is typically implemented by
programming ACL TCAM, while SRTBH is routing table lookup, so
"some 10.000 lines" vs. "2-4 million".

OTOH, SRTBH is all-or-nothing, not "only port 80"...

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
Re: SRTBH [ In reply to ]
In circumstances where the routing table can help you mitigate an attack, including things that use uRPF, it'll usually scale significantly better that flowspec. This is primarily because flowspec is just a distributed way of programming the firewall, and firewalls on transit routers have many dimensions where they don't scale nicely.

That said, the firewall on many of our platforms for "block these sources" should scale nicely ... but doesn't in flowspec if you have rules that interleave. The interleaving rules interfere with firewall optimization.

The issue above motivates the flowspec v2 work happening in IETF, particularly the user-ordered rules.

-- Jeff


?On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via juniper-nsp" <juniper-nsp-bounces@puck.nether.net on behalf of juniper-nsp@puck.nether.net> wrote:

[External Email. Be cautious of content]


Hi,

On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp wrote:
> Since Flowspec arrived, are there any uses for SRTBH?

Scaling?

My understanding of flowspec is that it is typically implemented by
programming ACL TCAM, while SRTBH is routing table lookup, so
"some 10.000 lines" vs. "2-4 million".

OTOH, SRTBH is all-or-nothing, not "only port 80"...

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de


Juniper Business Use Only
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SRTBH [ In reply to ]
thanks for the input

Mike

On Thu, Jul 7, 2022 at 10:20 AM Jeff Haas <jhaas@juniper.net> wrote:

> In circumstances where the routing table can help you mitigate an attack,
> including things that use uRPF, it'll usually scale significantly better
> that flowspec. This is primarily because flowspec is just a distributed
> way of programming the firewall, and firewalls on transit routers have many
> dimensions where they don't scale nicely.
>
> That said, the firewall on many of our platforms for "block these sources"
> should scale nicely ... but doesn't in flowspec if you have rules that
> interleave. The interleaving rules interfere with firewall optimization.
>
> The issue above motivates the flowspec v2 work happening in IETF,
> particularly the user-ordered rules.
>
> -- Jeff
>
>
> ?On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via
> juniper-nsp" <juniper-nsp-bounces@puck.nether.net on behalf of
> juniper-nsp@puck.nether.net> wrote:
>
> [External Email. Be cautious of content]
>
>
> Hi,
>
> On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp
> wrote:
> > Since Flowspec arrived, are there any uses for SRTBH?
>
> Scaling?
>
> My understanding of flowspec is that it is typically implemented by
> programming ACL TCAM, while SRTBH is routing table lookup, so
> "some 10.000 lines" vs. "2-4 million".
>
> OTOH, SRTBH is all-or-nothing, not "only port 80"...
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if
> you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert@greenie.muc.de
>
>
> Juniper Business Use Only
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp