nanog mailing list archives
Re: DDOS solution recommendation
From: Tore Anderson <tore () fud no>
Date: Mon, 12 Jan 2015 10:51:58 +0100
* "Roland Dobbins" <rdobbins () arbor net>
On 12 Jan 2015, at 16:19, Tore Anderson wrote:I'd love to use flowspec over D/RTBH, but to me it seems like vapourware.I meant on your own infrastructure, apologies for the confusion.
Right. So if I first need to accept the traffic onto my infrastructure before I can discard it, I'm dead in the water anyway: My uplinks will sit there at 100% ingress utilisation, dropping legitimate traffic. /32 or /128 D/RTBH announcements towards my transits is my only real option at this point. That helps protect against collateral damage, and if the customer's audience is local, it can also restore full operation for the attacked customer's primary markets (which are usually reached via peers instead of transits). For attacks that are conveniently sized smaller than my upstream capacity, I could see that flowspec could be useful, but not in a unique way, as inside my own network I can easily distribute targeted stateless discard ACLs in many other ways too (I use Netconf currently).
Transit providers utilizing Juniper aggregation edge routers could do it now - why they don't, I don't know.
I'd definitively be willing to pay a premium for such a feature. Tore
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation Ca By (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Ammar Zuberi (Jan 11)
- Re: DDOS solution recommendation Dave Bell (Jan 11)
- Re: DDOS solution recommendation Paul S. (Jan 11)
- Re: DDOS solution recommendation Ca By (Jan 11)
- Re: DDOS solution recommendation Job Snijders (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Ca By (Jan 11)
- Re: DDOS solution recommendation Tore Anderson (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)
- Re: DDOS solution recommendation Tore Anderson (Jan 12)
- Re: DDOS solution recommendation Pavel Odintsov (Jan 11)
- Re: DDOS solution recommendation Stephen Fulton (Jan 11)