[175952] in North American Network Operators' Group
Re: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (joel jaeggli)
Sun Nov 9 00:22:36 2014
X-Original-To: nanog@nanog.org
Date: Sat, 08 Nov 2014 21:22:05 -0800
From: joel jaeggli <joelja@bogus.com>
To: Roland Dobbins <rdobbins@arbor.net>, NANOG <nanog@nanog.org>
In-Reply-To: <A035443B-2B27-4310-BC1A-6D48AE50414F@arbor.net>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--FNFxv7JdXfF8eebfIElvKas4GdbMhTTOm
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 11/8/14 6:28 PM, Roland Dobbins wrote:
>=20
> On 9 Nov 2014, at 8:59, Frank Bulk wrote:
>=20
>> I've written it before: if there was a software feature in routers
>> where I
>> could specify the maximum rate any prefix size (up to /32) could recei=
ve,
>> that would be very helpful.
>=20
> QoS generally isn't a suitable mechanism for DDoS mitigation, as the
> programmatically-generated attack traffic ends up 'crowding out'
> legitimate traffic.
if you can identify attack traffic well enough to police it reliably
then you can also drop it on the floor.
> S/RTBH, flowspec, and other methods tend to produce better results.
yup.
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>=20
--FNFxv7JdXfF8eebfIElvKas4GdbMhTTOm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlRe+f8ACgkQ8AA1q7Z/VrL+NgCeOoDev85V2vvDHMKfUx9S+QIe
GDYAn1PllLb/eoQi+7qb9A804J4cvSYA
=nHLk
-----END PGP SIGNATURE-----
--FNFxv7JdXfF8eebfIElvKas4GdbMhTTOm--
