nanog mailing list archives
Re: DDOS solution recommendation
From: Ca By <cb.list6 () gmail com>
Date: Sun, 11 Jan 2015 07:23:47 -0800
On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins () arbor net> wrote:
On 11 Jan 2015, at 20:52, Ca By wrote: 1. BCP38 protects your neighbor, do it.It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc. 2. Protect yourself by having your upstream police Police UDP to somebaseline you are comfortable with.This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks. You can only really do this for ntp.
I do it for all UDP. There are bw policers and pps policers. As I said, this is known to work for me. YMMV. It is a managed risk, like anything. There are no silver bullets. I feel bad for people developing things like QUIC and WebRTC on UDP. But. i have already informed them of this risk to using UDP instead of a new L4 protocol. Protip: UDP is a cesspool. Don't build things on a cesspool where the vast majority of traffic is illegitimate. Guilty by association is a real thing. UDP will not have a renaissance CB
3. Have RTBH ready for some special case.S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation Joel Maslak (Jan 11)
- RE: DDOS solution recommendation David Hofstee (Jan 12)
- Re: DDOS solution recommendation Colin Johnston (Jan 12)
- Re: DDOS solution recommendation Ca By (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Ammar Zuberi (Jan 11)
- Re: DDOS solution recommendation Dave Bell (Jan 11)
- Re: DDOS solution recommendation Paul S. (Jan 11)
- Re: DDOS solution recommendation Job Snijders (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Ca By (Jan 11)
- Re: DDOS solution recommendation Tore Anderson (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)
- Re: DDOS solution recommendation Tore Anderson (Jan 12)
- Re: DDOS solution recommendation Pavel Odintsov (Jan 11)
- Re: DDOS solution recommendation Stephen Fulton (Jan 11)