[121146] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Rick Ernst)
Mon Jan 11 14:17:21 2010
In-Reply-To: <000501ca92d9$1b575ff0$52061fd0$@net>
Date: Mon, 11 Jan 2010 11:16:50 -0800
From: Rick Ernst <nanog@shreddedmail.com>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Right. Some providers allow you to BGP community trigger RTBH. There was a
separate mention of D/DoS-mitigation-providers using DNS and BGP tunneling.
Rick
On Mon, Jan 11, 2010 at 8:14 AM, Stefan Fouant <
sfouant@shortestpathfirst.net> wrote:
> > -----Original Message-----
> > From: Rick Ernst [mailto:nanog@shreddedmail.com]
> > Sent: Monday, January 11, 2010 10:39 AM
> > To: NANOG
> > Subject: Re: D/DoS mitigation hardware/software needed.
> >
> > As a service-provider/data-center, it seems like outsourcing would be
> > either
> > ineffective and/or removes the "big red button" in case of trouble.
> >
> > Am I missing something, overly paranoid, or are there other mechanisms
> > for
> > outsourced protection?
>
> In fact, quite the opposite. Those providers who do offer DDoS mitigation
> services usually allow the customer to trigger the redirect in a manner
> similar to RTBHs by substituting the blackhole community for some type of
> mitigation community. This causes the Provider's edge router (or Route
> Server) to advertise the affected route within the Service Provider's
> network with a next-hop of the scrubbers.
>
> There are some providers who do auto-mitigation on behalf of the customer,
> but IMO this approach is asking for trouble.
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
