nanog mailing list archives
Re: Verisign Internet Defence Network
From: Rubens Kuhl <rubensk () gmail com>
Date: Mon, 30 May 2011 11:43:35 -0300
ms made by the product descriptions seem suspect to me.
it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site." anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack?
Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you can provide such services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work. You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS. (RPKI could also be a future challenge for such service, but one could previously sign ROAs to be used in an attack response) Rubens
Current thread:
- Verisign Internet Defence Network Jim Mercer (May 30)
- Re: Verisign Internet Defence Network Rubens Kuhl (May 30)
- Re: Verisign Internet Defence Network Joel Jaeggli (May 30)
- RE: VeriSign Internet Defense Network Deepak Jain (May 31)
- Re: VeriSign Internet Defense Network Christopher Morrow (May 31)
- RE: VeriSign Internet Defense Network Stefan Fouant (May 31)
- RE: VeriSign Internet Defense Network Stefan Fouant (May 31)
- Re: Verisign Internet Defence Network Joel Jaeggli (May 30)
- Re: Verisign Internet Defence Network Rubens Kuhl (May 30)
- Re: Verisign Internet Defence Network Seth Mattinen (May 31)