Re: DDOS solution recommendation

[Ca By <cb.list6 () gmail com>]

On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins () arbor net> wrote:

> On 11 Jan 2015, at 20:52, Ca By wrote:
>
>  1. BCP38 protects your neighbor, do it.
> >
>
> It's to protect yourself, as well.  You should do it all the way down to
> the transit customer aggregation edge, all the way down to the IDC access
> layer, etc.
>
>  2.  Protect yourself by having your upstream police Police UDP to some
> > baseline you are comfortable with.
>
> This will come back to haunt you, when the programmatically-generated
> attack traffic 'crowds out' the legitimate traffic and everything breaks.
>
> You can only really do this for ntp.


I do it for all UDP.  There are bw policers and pps policers.  As I said,
this is known to work for me.  YMMV.

It is a managed risk, like anything.  There are no silver bullets.

I feel bad for people developing things like QUIC and WebRTC on UDP.  But.
i have already informed them of this risk to using UDP instead of a new L4
protocol.

Protip: UDP is a cesspool.  Don't build things on a cesspool where the vast
majority of traffic is illegitimate.   Guilty by association is a real
thing.

 UDP will not have a renaissance

CB

>  3.  Have RTBH ready for some special case.
> >
>
> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>
> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>