[177265] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Dave Bell)
Sun Jan 11 10:10:26 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <9A37AC87-6AEE-4A06-A413-CFD07E9453FF@fastreturn.net>
Date: Sun, 11 Jan 2015 15:08:25 +0000
From: Dave Bell <me@geordish.org>
To: Ammar Zuberi <ammar@fastreturn.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Maybe try the Cisco CSR1000v. In the trial mode it won't give you a
decent throughput, but should have all features enabled.
On 11 January 2015 at 15:02, Ammar Zuberi <ammar@fastreturn.net> wrote:
> I=E2=80=99m stuck trying to find a virtual router environment that I can =
play with flowspec on. We do have some Juniper routers, but they are in pro=
duction and I don=E2=80=99t think I want to touch flowspec on them just yet=
.
>
> Does anyone have any experience or any ideas here? Even openbgpd?
>
>> On Jan 11, 2015, at 6:58 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
>>
>>
>> On 11 Jan 2015, at 20:52, Ca By wrote:
>>
>>> 1. BCP38 protects your neighbor, do it.
>>
>> It's to protect yourself, as well. You should do it all the way down to=
the transit customer aggregation edge, all the way down to the IDC access =
layer, etc.
>>
>>> 2. Protect yourself by having your upstream police Police UDP to some
>>> baseline you are comfortable with.
>>
>> This will come back to haunt you, when the programmatically-generated at=
tack traffic 'crowds out' the legitimate traffic and everything breaks.
>>
>> You can only really do this for ntp.
>>
>>> 3. Have RTBH ready for some special case.
>>
>> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>>
>> -----------------------------------
>> Roland Dobbins <rdobbins@arbor.net>
>
