[141053] in North American Network Operators' Group
RE: VeriSign Internet Defense Network
daemon@ATHENA.MIT.EDU (Deepak Jain)
Tue May 31 15:07:29 2011
From: Deepak Jain <deepak@ai.net>
To: Joel Jaeggli <joelja@bogus.com>, Rubens Kuhl <rubensk@gmail.com>
Date: Tue, 31 May 2011 15:06:46 -0400
In-Reply-To: <0A51200D-1499-4B0E-B4AF-9EE514558E15@bogus.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Let's not ignore the value of DNS with a short ttl time. It may not be "as =
quick" as a BGP adjustment, but serves to provide a buttressed front-end IP=
that can restore service "instantly" [faster than getting someone on the p=
hone to coordinate the change, etc].=20
Disclaimer: We provide a service for our customers that does substantially =
this sort of DDOS mitigation.
DJ
>=20
> Normally when mitigation is put in place, they advertise a more
> specific prefix from as26415, scrub the traffic and hand it back to you
> over a gre tunnel...
>=20
> Obviously some design consideration goes into having services in
> prefixes you're willing to de-agg in such a fashion... I'd also
> recommend advertising the more specific out your own ingress paths
> before they pull your route otherwise the churn while various ASes
> grind through their longer backup routes takes a while.
>=20
> On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote:
>=20
> > ms made by the product descriptions seem suspect to me.
> >>
> >> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an
> event is
> >> detected, Verisign will work with the customer to redirect Internet
> traffic
> >> destined for the protected service to a Verisign Internet Defense
> Network
> >> site."
> >>
> >> anyone here have any comments on how this works, and how effective
> it will be
> >> vs. dealing directly with your upstream providers and getting them
> to assist
> >> in shutting down the attack?
> >
> > Anyone willing to announce your IP blocks under attack, receive the
> > traffic and then tunnel the non-attack traffic back to you can
> provide
> > such services without cooperation from your upstreams. I don't know
> > the details about this particular provider, such as if they announce
> > your blocks from yours or theirs ASN, if they use more specifics,
> > communities or is simply very well connected, but as BGP on the DFZ
> > goes, it can work.
> >
> > You might need to get your upstreams to not filter announcements from
> > your IP block they receive, because that would prevent mitigation for
> > attack traffic from inside your upstream AS.
> >
> > (RPKI could also be a future challenge for such service, but one
> could
> > previously sign ROAs to be used in an attack response)
> >
> > Rubens
> >
>=20
