[177273] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Pavel Odintsov)
Sun Jan 11 10:53:24 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <54B29AF7.3040102@free.fr>
Date: Sun, 11 Jan 2015 19:52:02 +0400
From: Pavel Odintsov <pavel.odintsov@gmail.com>
To: mh@xalto.net
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hello!
If you speaking about ISP "filtering" you should check your subnets
and ASN here: https://radar.qrator.net
I was really amazed amount of DDoS bots/amplificators in my network.
On Sun, Jan 11, 2015 at 6:47 PM, Michael Hallgren <m.hallgren@free.fr> wrot=
e:
> Le 11/01/2015 14:50, Patrick W. Gilmore a =C3=A9crit :
>> I agree with lots said here.
>>
>> But I've said for years (despite some people saying I am confused) that =
BCP38 is the single most important thing we can do to cut DDoS.
>>
>> No spoofed source means no amplification. It also stops things like Kami=
nsky DNS attacks.
>>
>> There is no silver bullet. Security is a series of steps ("layers" as on=
e highly respected security professional has in his .sig). But the most imp=
ortant layer, the biggest bang for the buck we can do today, is eliminated =
spoofed source.
>>
>> Push on your providers. Stop paying for transit from networks that do no=
t filter ingress, put it in your RFPs, and reward those who do with contrac=
ts. Make it economically advantageous to fix the problem, and people will.
>
> +1
> mh
>>
>
--=20
Sincerely yours, Pavel Odintsov
