[178961] in North American Network Operators' Group
Re: Getting hit hard by CHINANET
daemon@ATHENA.MIT.EDU (Mark Tinka)
Wed Mar 18 02:32:41 2015
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Mark Tinka <mark.tinka@seacom.mu>
Date: Wed, 18 Mar 2015 08:32:36 +0200
in-reply-to: <DF41086D-7DEB-4C8C-8B1A-BC21082E437D@arbor.net>
Errors-To: nanog-bounces@nanog.org
On 18/Mar/15 08:19, Roland Dobbins wrote:
>
>
> The assumption is that that OP is an end-customer/endpoint network,
> and willing to pay for same, if necessary.
My general experience is that customers are not willing to pay for
implementation of data plane filters. They'd be willing to pay for
traffic scrubbing, however.
>
> Even if that's not the case, that's how DDoS attacks are routinely and
> cooperatively mitigated between providers, when it's possible to block
> based on source, number of sources isn't overwhelming, etc.
That's one of two issues - if the sources are overwhelming how does one
scale that up without the use of some scrubbing service? Writing data
plane filters that are customer-specific works (assuming you have the
hardware for it), but can get unwieldy.
The other issues are the chance to boo-boo things when filtering a
customer-facing port, and/or forgetting to remove filters after they are
needed and customer (or the remote end) ends up having reachability issues.
Mark.
