Re: D/DoS mitigation hardware/software needed.

[Rick Ernst <nanog () shreddedmail com>]

Right. Some providers allow you to BGP community trigger RTBH.  There was a
separate mention of D/DoS-mitigation-providers using DNS and BGP tunneling.

Rick




On Mon, Jan 11, 2010 at 8:14 AM, Stefan Fouant <
sfouant () shortestpathfirst net> wrote:

> > -----Original Message-----
> > From: Rick Ernst [mailto:nanog () shreddedmail com]
> > Sent: Monday, January 11, 2010 10:39 AM
> > To: NANOG
> > Subject: Re: D/DoS mitigation hardware/software needed.
> >
> > As a service-provider/data-center, it seems like outsourcing would be
> > either
> > ineffective and/or removes the "big red button" in case of trouble.
> >
> > Am I missing something, overly paranoid, or are there other mechanisms
> > for
> > outsourced protection?
>
> In fact, quite the opposite.  Those providers who do offer DDoS mitigation
> services usually allow the customer to trigger the redirect in a manner
> similar to RTBHs by substituting the blackhole community for some type of
> mitigation community.  This causes the Provider's edge router (or Route
> Server) to advertise the affected route within the Service Provider's
> network with a next-hop of the scrubbers.
>
> There are some providers who do auto-mitigation on behalf of the customer,
> but IMO this approach is asking for trouble.
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D