Re: Verisign Internet Defence Network

[Rubens Kuhl <rubensk () gmail com>]

ms made by the product descriptions seem suspect to me.
> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is
> detected, Verisign will work with the customer to redirect Internet traffic
> destined for the protected service to a Verisign Internet Defense Network
> site."
>
> anyone here have any comments on how this works, and how effective it will be
> vs. dealing directly with your upstream providers and getting them to assist
> in shutting down the attack?

Anyone willing to announce your IP blocks under attack, receive the
traffic and then tunnel the non-attack traffic back to you can provide
such services without cooperation from your upstreams. I don't know
the details about this particular provider, such as if they announce
your blocks from yours or theirs ASN, if they use more specifics,
communities or is simply very well connected, but as BGP on the DFZ
goes, it can work.

You might need to get your upstreams to not filter announcements from
your IP block they receive, because that would prevent mitigation for
attack traffic from inside your upstream AS.

(RPKI could also be a future challenge for such service, but one could
previously sign ROAs to be used in an attack response)

Rubens