[177268] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Paul S.)
Sun Jan 11 10:28:45 2015
X-Original-To: nanog@nanog.org
Date: Mon, 12 Jan 2015 00:28:34 +0900
From: "Paul S." <contact@winterei.se>
To: nanog@nanog.org
In-Reply-To: <CACXVQYBnP-GMJ4n+4BkqVx7BtBa46aO4oo+FmDPGrEELwbT_kw@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
There's the Cisco xRV too, should be decent for playing around with.
On 1/12/2015 午前 12:08, Dave Bell wrote:
> Maybe try the Cisco CSR1000v. In the trial mode it won't give you a
> decent throughput, but should have all features enabled.
>
> On 11 January 2015 at 15:02, Ammar Zuberi <ammar@fastreturn.net> wrote:
>> I’m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper routers, but they are in production and I don’t think I want to touch flowspec on them just yet.
>>
>> Does anyone have any experience or any ideas here? Even openbgpd?
>>
>>> On Jan 11, 2015, at 6:58 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
>>>
>>>
>>> On 11 Jan 2015, at 20:52, Ca By wrote:
>>>
>>>> 1. BCP38 protects your neighbor, do it.
>>> It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc.
>>>
>>>> 2. Protect yourself by having your upstream police Police UDP to some
>>>> baseline you are comfortable with.
>>> This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks.
>>>
>>> You can only really do this for ntp.
>>>
>>>> 3. Have RTBH ready for some special case.
>>> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>>>
>>> -----------------------------------
>>> Roland Dobbins <rdobbins@arbor.net>
