[166540] in North American Network Operators' Group
DDoS Prevention for a Transit Provider
daemon@ATHENA.MIT.EDU (Jack Stonebraker)
Wed Oct 30 11:45:39 2013
From: Jack Stonebraker <Jack.Stonebraker@mygrande.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 30 Oct 2013 15:42:29 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'm looking to pick the brain of any Engineers out there who have deployed =
a DDoS Prevention strategy for an MSO that also runs their own transport ne=
twork. Recently, we have been seeing increasingly large spikes of traffic =
traversing our core. We have determined the destination to be arbitrary, b=
ut often it is some host (A Customer CPE) south of one of our CMTS's. Whil=
e we enforce ingress and egress rate limits facing the customers, the core =
facing network is pretty wide open, allowing the BGP mesh to steer traffic =
as needed.
Initially, we've been trying to do root analysis of the traffic makeup via =
JFLOW data to see if simple ACL's might be a temporary stop gap, but I also=
want to explore a more elegant, long term solution.
The introduction of IPS's feels cost prohibitive, especially since they wou=
ld need to performing control at the core, as we provide wholesale transpor=
t services on top of our enterprise services and that makes for a huge amou=
nt of homogenized traffic to be inspected.
Generally, the core can weather these spikes. Instead, it's the edge end c=
orresponding L3 to L2 Trunks that becomes saturated.
Any thoughts or comments would be greatly appreciated. Thanks.
JJ Stonebraker
IP Network Engineering
Grande Communications
