[189058] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Martin Bacher)
Mon May 2 18:22:05 2016
X-Original-To: nanog@nanog.org
From: Martin Bacher <ti14m028@technikum-wien.at>
In-Reply-To: <CAJL_ZMPfA3b1RTWKQXwduJXrUYdvQqFAad2AkPgzuHSWR7FY0A@mail.gmail.com>
Date: Tue, 3 May 2016 00:21:56 +0200
To: jim deleskie <deleskie@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> Am 02.05.2016 um 23:51 schrieb jim deleskie <deleskie@gmail.com>:
>=20
> I was going to avoid this thread because I've never been a huge fan of
> Flowspec for my own reasons. However having work on /been responsible =
for
> several "Tier 1 and 2" networks and DDoS mitigation services over the =
last
> 20 years, I can say I, nor any of my peers ( in any sense of that =
word)
> that I have known, have wanted to keep "bad " traffic on our networks =
so
> we can bill for it. Designing and running a large network is hard =
enough
> with planed growth, without having to manage unplanned spikes on links =
that
> can be orders of magnitude larger then traffic that "normally" flows
> across it.
I was for sure not precise enough in my statement and should have left =
out the money part. Sorry for that. An ISP would of course protect its =
own infrastructure and other customers if the attack is large enough and =
always tries to keep the general impact as low as possible. But auto =
mitigation is usually only provided for customers which are paying for =
it. BGP-FS offers an easy way for automatic deployment of traffic =
remarking of attack traffic in order to keep the overall impact for the =
own network and other customers at a very low level.
> On top of that any given DDoS attack seldom last long enough to =
materially
> impact 95%ile billing, so carriers don't make anything from it, but =
have to
> do all the work of moving it around.
>=20
> -jim
>=20
> On Mon, May 2, 2016 at 6:38 PM, Roland Dobbins <rdobbins@arbor.net> =
wrote:
>=20
>> On 2 May 2016, at 20:16, Martin Bacher wrote:
>>=20
>> However, Tier 1s and most probably also some of the Tier 2s may not =
want
>>> to offer it to customers because they are loosing money if less =
traffic is
>>> sent downstream on IP-Transit links.
>>>=20
>>=20
>> I will go a step further than Danny's comments and state that this is
>> categorically and demonstrably untrue.
>>=20
>> Many of the quite large 'Tier-1' and 'Tier-2' (using the old =
terminology)
>> operators on this list offer commercial DDoS mitigation services =
making use
>> of technologies like D/RTBH, S/RTBH, IDMS, et. al. due to customer =
demand.
>> They need these capabilities in order to defend their own properties =
and
>> assets, and they are also offering them to end-customers who want and =
need
>> them.
>>=20
>> In point of fact, it's becoming difficult to find one which *doesn't*
>> offer this type of service.
>>=20
>> There were a couple of situations in the first half of the first =
decade of
>> this millennium where operators took this attitude. But they changed =
their
>> tunes pretty rapidly once they themselves were impacted, and once =
they
>> started losing customers because they couldn't and wouldn't protect =
them.
>>=20
>> And as Danny notes, these technologies are all tools in the toolbox. =
NFV
>> and 'SDN' have tremendous potential to make it a lot easier to bring
>> mitigation resources to bear in a dynamic and optimal fashion within =
single
>> spans of administrative control; and there are standards-based =
efforts
>> underway to provide for a higher degree of automation, increased =
rapidity
>> of response, and interoperability in both inter- and intra-network =
DDoS
>> mitigation scenarios.
>>=20
>> -----------------------------------
>> Roland Dobbins <rdobbins@arbor.net>
>>=20
