[141054] in North American Network Operators' Group
Re: VeriSign Internet Defense Network
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue May 31 15:31:07 2011
In-Reply-To: <D338D1613B32624285BB321A5CF3DB25137BFF1DE1@ginga.ai.net>
Date: Tue, 31 May 2011 15:31:01 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Deepak Jain <deepak@ai.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, May 31, 2011 at 3:06 PM, Deepak Jain <deepak@ai.net> wrote:
> Let's not ignore the value of DNS with a short ttl time. It may not be "a=
s quick" as a BGP adjustment, but serves to provide a buttressed front-end =
IP that can restore service "instantly" [faster than getting someone on the=
phone to coordinate the change, etc].
>
> Disclaimer: We provide a service for our customers that does substantiall=
y this sort of DDOS mitigation.
>
also, note that VerizonBusiness ddos-mitigation service was
no-call-required, just send the right community on a configured
session ... and 'cheap'.
-chris
>>
>> Normally when mitigation is put in place, they advertise a =A0more
>> specific prefix from as26415, scrub the traffic and hand it back to you
>> over a gre tunnel...
>>
>> Obviously some design consideration goes into having services in
>> prefixes you're willing to de-agg in such a fashion... I'd also
>> recommend advertising the more specific out your own ingress paths
>> before they pull your route otherwise the churn while various ASes
>> grind through their longer backup routes takes a while.
>>
>> On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote:
>>
>> > ms made by the product descriptions seem suspect to me.
>> >>
>> >> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an
>> event is
>> >> detected, Verisign will work with the customer to redirect Internet
>> traffic
>> >> destined for the protected service to a Verisign Internet Defense
>> Network
>> >> site."
>> >>
>> >> anyone here have any comments on how this works, and how effective
>> it will be
>> >> vs. dealing directly with your upstream providers and getting them
>> to assist
>> >> in shutting down the attack?
>> >
>> > Anyone willing to announce your IP blocks under attack, receive the
>> > traffic and then tunnel the non-attack traffic back to you can
>> provide
>> > such services without cooperation from your upstreams. I don't know
>> > the details about this particular provider, such as if they announce
>> > your blocks from yours or theirs ASN, if they use more specifics,
>> > communities or is simply very well connected, but as BGP on the DFZ
>> > goes, it can work.
>> >
>> > You might need to get your upstreams to not filter announcements from
>> > your IP block they receive, because that would prevent mitigation for
>> > attack traffic from inside your upstream AS.
>> >
>> > (RPKI could also be a future challenge for such service, but one
>> could
>> > previously sign ROAs to be used in an attack response)
>> >
>> > Rubens
>> >
>>
>
>
>
