[177267] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Ca By)
Sun Jan 11 10:24:26 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <5A6E09C5-ED1C-4DB5-9E48-74F54D5C5131@arbor.net>
Date: Sun, 11 Jan 2015 07:23:47 -0800
From: Ca By <cb.list6@gmail.com>
To: Roland Dobbins <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
>
> On 11 Jan 2015, at 20:52, Ca By wrote:
>
> 1. BCP38 protects your neighbor, do it.
>>
>
> It's to protect yourself, as well. You should do it all the way down to
> the transit customer aggregation edge, all the way down to the IDC access
> layer, etc.
>
> 2. Protect yourself by having your upstream police Police UDP to some
>> baseline you are comfortable with.
>>
>
> This will come back to haunt you, when the programmatically-generated
> attack traffic 'crowds out' the legitimate traffic and everything breaks.
>
> You can only really do this for ntp.
I do it for all UDP. There are bw policers and pps policers. As I said,
this is known to work for me. YMMV.
It is a managed risk, like anything. There are no silver bullets.
I feel bad for people developing things like QUIC and WebRTC on UDP. But.
i have already informed them of this risk to using UDP instead of a new L4
protocol.
Protip: UDP is a cesspool. Don't build things on a cesspool where the vast
majority of traffic is illegitimate. Guilty by association is a real
thing.
UDP will not have a renaissance
CB
>
>
> 3. Have RTBH ready for some special case.
>>
>
> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>
