|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org From: Ammar Zuberi <ammar@fastreturn.net> In-Reply-To: <5A6E09C5-ED1C-4DB5-9E48-74F54D5C5131@arbor.net> Date: Sun, 11 Jan 2015 19:02:50 +0400 To: Roland Dobbins <rdobbins@arbor.net> Cc: NANOG list <nanog@nanog.org> Errors-To: nanog-bounces@nanog.org I=E2=80=99m stuck trying to find a virtual router environment that I can = play with flowspec on. We do have some Juniper routers, but they are in = production and I don=E2=80=99t think I want to touch flowspec on them = just yet. Does anyone have any experience or any ideas here? Even openbgpd? > On Jan 11, 2015, at 6:58 PM, Roland Dobbins <rdobbins@arbor.net> = wrote: >=20 >=20 > On 11 Jan 2015, at 20:52, Ca By wrote: >=20 >> 1. BCP38 protects your neighbor, do it. >=20 > It's to protect yourself, as well. You should do it all the way down = to the transit customer aggregation edge, all the way down to the IDC = access layer, etc. >=20 >> 2. Protect yourself by having your upstream police Police UDP to = some >> baseline you are comfortable with. >=20 > This will come back to haunt you, when the programmatically-generated = attack traffic 'crowds out' the legitimate traffic and everything = breaks. >=20 > You can only really do this for ntp. >=20 >> 3. Have RTBH ready for some special case. >=20 > S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). >=20 > ----------------------------------- > Roland Dobbins <rdobbins@arbor.net>
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |