DDoS Prevention for a Transit Provider

[Jack Stonebraker <Jack.Stonebraker () mygrande com>]

I'm looking to pick the brain of any Engineers out there who have deployed a DDoS Prevention strategy for an MSO that 
also runs their own transport network.  Recently, we have been seeing increasingly large spikes of traffic traversing 
our core.  We have determined the destination to be arbitrary, but often it is some host (A Customer CPE) south of one 
of our CMTS's.  While we enforce ingress and egress rate limits facing the customers, the core facing network is pretty 
wide open, allowing the BGP mesh to steer traffic as needed.

Initially, we've been trying to do root analysis of the traffic makeup via JFLOW data to see if simple ACL's might be a 
temporary stop gap, but I also want to explore a more elegant, long term solution.

The introduction of IPS's feels cost prohibitive, especially since they would need to performing control at the core, 
as we provide wholesale transport services on top of our enterprise services and that makes for a huge amount of 
homogenized traffic to be inspected.

Generally, the core can weather these spikes.  Instead, it's the edge end corresponding L3 to L2 Trunks that becomes 
saturated.

Any thoughts or comments would be greatly appreciated.  Thanks.

JJ Stonebraker
IP Network Engineering
Grande Communications