Re: VeriSign Internet Defense Network

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, May 31, 2011 at 3:06 PM, Deepak Jain <deepak () ai net> wrote:
> Let's not ignore the value of DNS with a short ttl time. It may not be "as quick" as a BGP adjustment, but serves to 
> provide a buttressed front-end IP that can restore service "instantly" [faster than getting someone on the phone to 
> coordinate the change, etc].
>
> Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation.

also, note that VerizonBusiness ddos-mitigation service was
no-call-required, just send the right community on a configured
session ... and 'cheap'.

-chris

> > Normally when mitigation is put in place, they advertise a  more
> > specific prefix from as26415, scrub the traffic and hand it back to you
> > over a gre tunnel...
> >
> > Obviously some design consideration goes into having services in
> > prefixes you're willing to de-agg in such a fashion... I'd also
> > recommend advertising the more specific out your own ingress paths
> > before they pull your route otherwise the churn while various ASes
> > grind through their longer backup routes takes a while.
> >
> > On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote:
> >
> > > ms made by the product descriptions seem suspect to me.
> > > > it claims to be "Carrier-agnostic and ISP-neutral", yet "When an
> > event is
> > > > detected, Verisign will work with the customer to redirect Internet
> > traffic
> > > > destined for the protected service to a Verisign Internet Defense
> > Network
> > > > site."
> > > >
> > > > anyone here have any comments on how this works, and how effective
> > it will be
> > > > vs. dealing directly with your upstream providers and getting them
> > to assist
> > > > in shutting down the attack?
> > >
> > > Anyone willing to announce your IP blocks under attack, receive the
> > > traffic and then tunnel the non-attack traffic back to you can
> > provide
> > > such services without cooperation from your upstreams. I don't know
> > > the details about this particular provider, such as if they announce
> > > your blocks from yours or theirs ASN, if they use more specifics,
> > > communities or is simply very well connected, but as BGP on the DFZ
> > > goes, it can work.
> > >
> > > You might need to get your upstreams to not filter announcements from
> > > your IP block they receive, because that would prevent mitigation for
> > > attack traffic from inside your upstream AS.
> > >
> > > (RPKI could also be a future challenge for such service, but one
> > could
> > > previously sign ROAs to be used in an attack response)
> > >
> > > Rubens