[171748] in North American Network Operators' Group
Re: level3 dia egress filtering?
daemon@ATHENA.MIT.EDU (Christopher Rogers)
Mon May 12 18:29:30 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <2bb6070aa4c425c6bbaa68c2263e68c0.squirrel@66.201.44.180>
Date: Mon, 12 May 2014 15:27:26 -0700
From: Christopher Rogers <phiber@phiber.org>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Not specific ports, but something more like:
'deny udp any my.target.slash.25 0.0.255.255'
BGP blackholing will obviously impact all traffic to a target.
-chris
2014-05-12 15:20 GMT-07:00 Bob Evans <bob@fiberinternetcenter.com>:
> Are you asking a transit network to filter specific ports as an end user
> or as an ISP who has Level 3 as a transit provider?
>
> I haven't seen a specific port could be dropped by any network....Only
> aware of BGP community string like, 3356:9999 - black hole (discard all
> traffic for specific IP range) traffic type abilities.
>
> We have and will filter specific ports for customers. But this port type
> ACL is completed by hand....I haven't seen anyone implement this using a
> BGP community string.
>
> Bob Evans
> CTO
> Fiber Internet CenterThank You
> Bob Evans
> CTO
>
>
> > We contacted Level3 a few weeks back, and were told that they do not
> > provide any filtering service.
> > I've not been able to confirm this from anyone else, besides the Level3
> > customer service rep we spoke with.
> >
> > Currently looking into a DDoS protection service from Akamai. Sounds
> > awesome what they can do, but often "awesome" translates to "overkill"
> > and/or "too expensive".
> >
> > -Petter
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher
> > Rogers
> > Sent: Monday, May 12, 2014 2:47 PM
> > To: nanog@nanog.org
> > Subject: level3 dia egress filtering?
> >
> > Does anyone have any experience dealing with level3 in trying to get
> > egress filters applied to an internet dia link with them?
> >
> > I've been trying to get them to apply an egress filter to drop all of udp
> > to a certain /25 on my network that's been getting hammered by a dns
> > amplification attack, and I am being told that they can only 'drop an
> > entire protocol, and not to a specific ip address or range.'
> >
> > Can anyone confirm if that's the case?
> >
> > cheers
> > -chris
> >
>
>
>
