[178968] in North American Network Operators' Group
Re: Getting hit hard by CHINANET
daemon@ATHENA.MIT.EDU (Colin Johnston)
Wed Mar 18 05:57:52 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <F1B710AA-A0E9-4430-B3AA-4E09D6F638C3@arbor.net>
From: Colin Johnston <colinj@gt86car.org.uk>
Date: Wed, 18 Mar 2015 09:55:15 +0000
To: Roland Dobbins <rdobbins@arbor.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
would be interested to know of providers using bgp to auto block ranges from=
china
colin
Sent from my iPhone
> On 18 Mar 2015, at 09:49, "Roland Dobbins" <rdobbins@arbor.net> wrote:
>=20
>=20
>> On 18 Mar 2015, at 13:32, Mark Tinka wrote:
>>=20
>> That's one of two issues - if the sources are overwhelming how does one s=
cale that up without the use of some scrubbing service? Writing data plane f=
ilters that are customer-specific works (assuming you have the hardware for i=
t), but can get unwieldy.
>=20
> Some operators have specialized DDoS mitigation capabilities. Others rely=
exclusively on basic network infrastructure-based mechanisms like D/RTBH, S=
/RTBH, and/or flowspec.
>=20
>> The other issues are the chance to boo-boo things when filtering a custom=
er-facing port, and/or forgetting to remove filters after they are needed an=
d customer (or the remote end) ends up having reachability issues.
>=20
> Sure. But this doesn't obviate the fact that cooperative DDoS mitigation a=
mongst network operators routinely takes place on the Internet today, and is=
increasingly made available in one form or another to end-customers who req=
uest same.
>=20
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
