[177262] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sun Jan 11 09:58:35 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "NANOG list" <nanog@nanog.org>
Date: Sun, 11 Jan 2015 21:58:12 +0700
In-Reply-To: <CAD6AjGSW27qiA3BbS--KK27APZp2FsBtTt=oRLHcSztRdHH-9Q@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 11 Jan 2015, at 20:52, Ca By wrote:
> 1. BCP38 protects your neighbor, do it.
It's to protect yourself, as well. You should do it all the way down to
the transit customer aggregation edge, all the way down to the IDC
access layer, etc.
> 2. Protect yourself by having your upstream police Police UDP to some
> baseline you are comfortable with.
This will come back to haunt you, when the programmatically-generated
attack traffic 'crowds out' the legitimate traffic and everything
breaks.
You can only really do this for ntp.
> 3. Have RTBH ready for some special case.
S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
