[189059] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Martin Bacher)
Mon May 2 18:39:01 2016
X-Original-To: nanog@nanog.org
From: Martin Bacher <ti14m028@technikum-wien.at>
In-Reply-To: <39E3196C-F921-4237-B4C2-CF392AA90F86@arbor.net>
Date: Tue, 3 May 2016 00:38:53 +0200
To: Roland Dobbins <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> Am 03.05.2016 um 00:06 schrieb Roland Dobbins <rdobbins@arbor.net>:
>=20
> On 3 May 2016, at 4:51, jim deleskie wrote:
>=20
>> I was going to avoid this thread because I've never been a huge fan =
of Flowspec for my own reasons.
>=20
> Flowspec is an extremely useful tool, IMHO - not only for direct, =
layer-4-granular mitigation leveraging linecard ASICs, but for more =
granular and selective diversion into mitigation centers, as well. And =
its value is growing with increased platform support. It isn't perfect =
(nothing is), and operators must be aware of its performance/scalability =
envelope on a given platform, but it's a great tool to have in the =
toolbox.
+1
>=20
>> I can say I, nor any of my peers ( in any sense of that word) that I =
have known, have wanted to keep "bad " traffic on our networks so we can =
bill for it.
>=20
> +1!
>=20
> I ran into this situation precisely twice early in the 'oughts ("Let =
the packets come!" was the quote which stood out in my mind); those =
espousing it pretty quickly changed their tunes once their networks had =
been knocked flat a couple of times.
Let the packets come is not the message. But an upstream ISP can either =
drop the traffic to reduce the impact on the own network and the =
customers which are not attacked directly or remark and/or rate-limit =
the particular flows with nearly, of course not for the customer under =
attack, the same result. And please don=E2=80=99t get me wrong. I am not =
a fan of implementing it that way.=20
I also want to add something to keeping bad traffic: Well, nobody wants =
to keep bad traffic. But that does not imply that all upstream ISPs are =
filtering out attacks by default for customers which are not paying for =
that. This is at least my interpretation from reading the various =
available DDoS reports and research papers.=20
>=20
> ;>
>=20
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
