[179006] in North American Network Operators' Group
Re: Getting hit hard by CHINANET
daemon@ATHENA.MIT.EDU (Ca By)
Mon Mar 23 10:58:29 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.64.1403230641250.16055@whammy.cluebyfour.org>
Date: Mon, 23 Mar 2015 07:55:31 -0700
From: Ca By <cb.list6@gmail.com>
To: "Justin M. Streiner" <streiner@cluebyfour.org>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Mar 23, 2014 at 3:43 AM, Justin M. Streiner <streiner@cluebyfour.org
> wrote:
> On Mon, 23 Mar 2015, Ca By wrote:
>
> Having your upstream apply a permanent udp bw policer, say 5 or 10x busy
>> hour baseline, works well for this.
>>
>
> Many upstreams will not do that, particularly on a permanent basis. They
> might do something temporarily to deal with an incident, but many of the
> bigger carriers probably wouldn't want to leave that in place permanently.
>
> jms
>
Mine Tier 1 up-streams are fine with it permanent. YMMV. I did have to get
my account team involved, but from a technical perspective, a one line
policer (all UDP rate-limit to 10% of link speed) is not a technical
challenge, and the one-off config element is not overly burdensome.
Again, YMMV. And, your frequency and impact of IPv4 UDP based attacks will
dictate your needs.
CB
