[178966] in North American Network Operators' Group
Re: Getting hit hard by CHINANET
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Wed Mar 18 05:49:23 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: nanog@nanog.org
Date: Wed, 18 Mar 2015 16:49:15 +0700
In-Reply-To: <55091C04.8090504@seacom.mu>
Errors-To: nanog-bounces@nanog.org
On 18 Mar 2015, at 13:32, Mark Tinka wrote:
> That's one of two issues - if the sources are overwhelming how does
> one scale that up without the use of some scrubbing service? Writing
> data plane filters that are customer-specific works (assuming you have
> the hardware for it), but can get unwieldy.
Some operators have specialized DDoS mitigation capabilities. Others
rely exclusively on basic network infrastructure-based mechanisms like
D/RTBH, S/RTBH, and/or flowspec.
> The other issues are the chance to boo-boo things when filtering a
> customer-facing port, and/or forgetting to remove filters after they
> are needed and customer (or the remote end) ends up having
> reachability issues.
Sure. But this doesn't obviate the fact that cooperative DDoS
mitigation amongst network operators routinely takes place on the
Internet today, and is increasingly made available in one form or
another to end-customers who request same.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
