[120824] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Tue Jan 5 00:40:09 2010
Date: Tue, 5 Jan 2010 13:39:04 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: Stefan Fouant <sfouant@shortestpathfirst.net>
In-Reply-To: <005101ca8dc8$c418dda0$4c4a98e0$@net>
Cc: 'NANOG list' <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 05, 2010, Stefan Fouant wrote:
> Almost all of the scalable DDoS mitigation architectures deployed in
> carriers or other large enterprises employ the use of an offramp method.
> These devices perform a lot better when you can forward just the subset of
> the traffic through as opposed to all. It just a simple matter of using
> static routing / RTBH techniques / etc. to automate the offramp.
Has anyone deployed a DDoS distributed enough to inject ETOOMANY routes into
the hardware forwarding tables of routers?
I mean, I assume that there's checks and balances in place to limit
then number of routes being injected into the network so one doesn't
overload the tables, but what's the behaviour if/when this limit is
reached? Does mitigation cease being as effective?
Adrian
