[189032] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Alexander Maassen)
Mon May 2 09:00:13 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <4548ef76bafd6f33e098c93f90a46c7c@tcb.net>
Date: Mon, 2 May 2016 15:03:43 +0200
From: "Alexander Maassen" <outsider@scarynet.org>
To: "Danny McPherson" <danny@tcb.net>
X-SA-Exim-Mail-From: outsider@scarynet.org
Reply-To: outsider@scarynet.org
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:
> We use it effectively in a layered model where "Principle of Minimal
> Intervention" applies, allowing attack mitigation and traffic diversion
> in the most optimal place (e.g., at network ingress), and only scrubbing
> or diverting traffic when necessary.
Sorry to say, but the most optimal place for ddos mitigation is at network
egress of origin. What comes in mind regarding that is the ability for
target ASN telling source ASN to stop sending packets from a specific
(let's say /29) in the case of a DDoS (with appropiate security measures
in place off course).
Because, let's face it, why would a target of a ddos need to nullroute
itself?
