[177300] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Tore Anderson)
Mon Jan 12 04:52:26 2015
X-Original-To: nanog@nanog.org
Date: Mon, 12 Jan 2015 10:51:58 +0100
From: Tore Anderson <tore@fud.no>
To: "Roland Dobbins" <rdobbins@arbor.net>
In-Reply-To: <B194D577-437D-429B-9881-C5394420467F@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
* "Roland Dobbins" <rdobbins@arbor.net>
> On 12 Jan 2015, at 16:19, Tore Anderson wrote:
>
> > I'd love to use flowspec over D/RTBH, but to me it seems like
> > vapourware.
>
> I meant on your own infrastructure, apologies for the confusion.
Right. So if I first need to accept the traffic onto my infrastructure
before I can discard it, I'm dead in the water anyway: My uplinks will
sit there at 100% ingress utilisation, dropping legitimate traffic.
/32 or /128 D/RTBH announcements towards my transits is my only real
option at this point. That helps protect against collateral damage, and
if the customer's audience is local, it can also restore full operation
for the attacked customer's primary markets (which are usually reached
via peers instead of transits).
For attacks that are conveniently sized smaller than my upstream
capacity, I could see that flowspec could be useful, but not in a
unique way, as inside my own network I can easily distribute targeted
stateless discard ACLs in many other ways too (I use Netconf currently).
> Transit providers utilizing Juniper aggregation edge routers could do it
> now - why they don't, I don't know.
I'd definitively be willing to pay a premium for such a feature.
Tore
