[185602] in North American Network Operators' Group
Re: DDoS mitigation for ISPs
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Thu Oct 29 12:05:18 2015
X-Original-To: nanog@nanog.org
Date: Thu, 29 Oct 2015 08:54:06 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Mike <mike-nanog@tiedyenetworks.com>
In-Reply-To: <56323E67.8010304@tiedyenetworks.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--va4/JQ6j8/8uipEp
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu 2015-Oct-29 08:42:31 -0700, Mike <mike-nanog@tiedyenetworks.com> wro=
te:
>Hello,
>
> Is there any DDoS mitigation service provider that can scrub=20
>traffic for an ISP network? I have an ASN and BGP and my own=20
>netblocks, and I have a 1gbps pipe. I was thinking the scenario would=20
>be during attack, we could bring up a tunnel and run bgp over it and=20
>advertise some portion of our ip space thru it. I realise getting it=20
>setup while attack is taking place would be a little hard and that we=20
>likely could expect at least some down time. What we have seen so far=20
>has been reflection attacks (dns and ssdp) and we have been able to=20
>do rate limiting on these and other protocols to sane values. This=20
>has worked well, although the primary risk is once the traffic flow=20
>exceeds the link capacity such limiting won't have any net effect.=20
>But if we could farm this out during times of trouble to a mitigation=20
>services provider, they could advertise our block(s) and rate limit=20
>and scrub for us and send us the result, it would be a far better=20
>than what we have now (which is effectively nothing). I asked=20
>cloudflare this and they stated they are focused on web traffic. My=20
>upstream can't help me, doesn't support RTBH and won't install=20
>filters anyways unless it's impacting THEIR network. Just wondering=20
>if anyone has any other ideas (short of ditching my provider, which I=20
>also can't do due at this time due to lack of competitive choice).
>
>Mike-
>
In no particular order:
- Prolexic (Akamai)
- Arbor Networks
- Staminus
- Black Lotus
- Incapsula
- Radware
This is not an endorsement for any of the above.=20
Alternatively: http://lmgtfy.com/?q=3Dddos+protection
--=20
Hugo
hugo@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)
--va4/JQ6j8/8uipEp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWMkEeAAoJEJqxD/2xeDE+EccP/RQ1PQtp/kc2EYiaUktss+ZH
wSs61j3peA7jjkabcGmXX1j9WOYV9j+pkzbuYbyHjtUpI8x8xk5OZ9NyVaCvwFp1
g+K8OQNsAZNFxhIj30k1Br2JRo4Aq80wg3sbr81XW3Iy2M+DbM66cO70tIKGK6+1
ooW9LGvzyzJJ/I6b/VVBGX2WhDed8FLXEJP2fwPzRvZoEJeavntJLUPzfjpmWvwp
xZnG5UWZymEIfbehf+qEEhEjLrDK79+lo3VyFshcCRI2P2rAczH/GJqPhB53idFH
328dlsIDPRAgiQt6n9M0IELbqMHfrmC2a0dJzbDmHLCX8Hxc1Sd+6jdet2ZzFXNK
XEwbYZ903Q/MyIrVhsFSC+Ai2kp7V63ipmdqpqyUUfZJl3ReJM4PTjMb1vbowEI9
PEiiuMxenpyUmYKM4J3Hp7w5utpOTj1VMokzqm2f9dySkuEsfGMjEPzgmKLuzuue
8mfdoxRlnOfX3asaDjQ2QIeOCoeJL8gnXDFdxkgNhCWkWfNkoPNJSwFo/F6HYIXi
oBRTMowPp03lVwyrAL5mUQgOUHZKeODVzwTERg6KV35x+9nskhh5DF6cAst2dcom
iAMgq9+rsjz67E8iTDOgl+12t7QeQOLQ2RBD4LrMIlqKdYhoUATPNb2iOkdZm1z7
YOpwp+tZSGyXle4r9edm
=DAVS
-----END PGP SIGNATURE-----
--va4/JQ6j8/8uipEp--
