[146072] in North American Network Operators' Group
Re: Colocation providers and ACL requests
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Nov 1 16:20:30 2011
Date: Tue, 01 Nov 2011 15:19:39 -0500
From: Jack Bates <jbates@brightok.net>
To: NANOG mailing list <nanog@nanog.org>
In-Reply-To: <4EB038E7.4070703@kl.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 11/1/2011 1:22 PM, Kevin Loch wrote:
> Christopher Pilkington wrote:
>> Is it common in the industry for a colocation provider, when requested
>> to put an egress ACL facing us such as:
>>
>> deny udp any a.b.c.d/24 eq 80
>>
>> …to refuse and tell us we must subscribe to their managed DDOS product?
>
> We have always accommodated temporary ACL's for active DDOS attacks. I
> think that is fairly standard across the ISP/hosting industry.
>
> I do feel it is bad practice to regularly implement customer specific
> ACL's on routers. If a customer wants a managed firewall we have a
> full range of those services available.
>
And Managed DDOS products better be a LOT more than an ACL. If I'm going
to pay someone to manage DDOS, they will scrub the traffic and let all
my legitimate traffic through. That's what I'm paying for. null routing
an IP or a simple acl isn't worth paying a dime for.
Jack
