nanog mailing list archives
Re: VeriSign Internet Defense Network
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 31 May 2011 15:31:01 -0400
On Tue, May 31, 2011 at 3:06 PM, Deepak Jain <deepak () ai net> wrote:
Let's not ignore the value of DNS with a short ttl time. It may not be "as quick" as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service "instantly" [faster than getting someone on the phone to coordinate the change, etc]. Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation.
also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. -chris
Normally when mitigation is put in place, they advertise a more specific prefix from as26415, scrub the traffic and hand it back to you over a gre tunnel... Obviously some design consideration goes into having services in prefixes you're willing to de-agg in such a fashion... I'd also recommend advertising the more specific out your own ingress paths before they pull your route otherwise the churn while various ASes grind through their longer backup routes takes a while. On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote:ms made by the product descriptions seem suspect to me.it claims to be "Carrier-agnostic and ISP-neutral", yet "When anevent isdetected, Verisign will work with the customer to redirect Internettrafficdestined for the protected service to a Verisign Internet DefenseNetworksite." anyone here have any comments on how this works, and how effectiveit will bevs. dealing directly with your upstream providers and getting themto assistin shutting down the attack?Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you canprovidesuch services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work. You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS. (RPKI could also be a future challenge for such service, but onecouldpreviously sign ROAs to be used in an attack response) Rubens
Current thread:
- Verisign Internet Defence Network Jim Mercer (May 30)
- Re: Verisign Internet Defence Network Rubens Kuhl (May 30)
- Re: Verisign Internet Defence Network Joel Jaeggli (May 30)
- RE: VeriSign Internet Defense Network Deepak Jain (May 31)
- Re: VeriSign Internet Defense Network Christopher Morrow (May 31)
- RE: VeriSign Internet Defense Network Stefan Fouant (May 31)
- RE: VeriSign Internet Defense Network Stefan Fouant (May 31)
- Re: Verisign Internet Defence Network Joel Jaeggli (May 30)
- Re: Verisign Internet Defence Network Rubens Kuhl (May 30)
- Re: Verisign Internet Defence Network Seth Mattinen (May 31)