RE: DDOS, IDS, RTBH, and Rate limiting

["Frank Bulk" <frnkblk () iname com>]

But that's my point: many small operators don't have tools and/or staff to
identify flows in order to police and/or drop the traffic, and definitely
not a NOC that can intervene in under 5 minutes.  How much simpler if there
was a generic rule that said "no one IP can receive more than 200 Mbps", log
on that, and then if it takes 30 or 90 minutes for someone to react, that's
fine, but in the meantime other customers weren't affected.

Frank

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of joel jaeggli
Sent: Saturday, November 08, 2014 11:22 PM
To: Roland Dobbins; NANOG
Subject: Re: DDOS, IDS, RTBH, and Rate limiting

On 11/8/14 6:28 PM, Roland Dobbins wrote:
> On 9 Nov 2014, at 8:59, Frank Bulk wrote:
>
> > I've written it before: if there was a software feature in routers
> > where I
> > could specify the maximum rate any prefix size (up to /32) could receive,
> > that would be very helpful.
>
> QoS generally isn't a suitable mechanism for DDoS mitigation, as the
> programmatically-generated attack traffic ends up 'crowding out'
> legitimate traffic.

if you can identify attack traffic well enough to police it reliably
then you can also drop it on the floor.

> S/RTBH, flowspec, and other methods tend to produce better results.

yup.

> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>