[175945] in North American Network Operators' Group
Re: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sat Nov 8 22:27:42 2014
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "NANOG (nanog@nanog.org)" <nanog@nanog.org>
Date: Sun, 09 Nov 2014 10:27:27 +0700
In-Reply-To: <Pine.LNX.4.61.1411082159590.10544@soloth.lewis.org>
Errors-To: nanog-bounces@nanog.org
On 9 Nov 2014, at 10:12, Jon Lewis wrote:
> The tricky part is when to remove the route...since you can't tell if
> the attack has ended while the target is black holed by your
> upstreams.
You can with NetFlow, if you've D/RTBHed the IP in question on your own
infrastructure. NetFlow reports statistics on dropped traffic (except
on a few platforms with implementation deficiencies).
But this kind of thing punishes the victim. It's far better to do
everything possible to *protect* the target(s) of an attack, and only
use D/RTBH as a last resort.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
