nanog mailing list archives
Re: GRE performance over the Internet - DDoS cloud mitigation
From: Dennis B <infinityape () gmail com>
Date: Wed, 1 Jul 2015 15:37:52 -0400
Kenneth, That would also be my recommendation to this scenario. The only caveat would be to consider the risk in the service-policy dropping legit traffic because the policy. Often times, the PPS rates of a DDoS attack fill's the policy queue up with malicious packets, sending the legit packets into a 'blackhole' or whatever mechanism you use to discard. Rate-limiters / QoS / Service-policies are good for some use cases but not for others, I am confident we all agree. In this case, "buying" time by implementing some initiate tactics to maintain stability is well worth the risk of being hard down. While the mean-time to detect, alert, start blocking, and stop the attack is being completed by the Cloud Provider.
From our perspective, we're talking 1 min averages with 5 min stop time for
L3/L4 attacks. Even if these situations were apparent, they'd be short lived. Ramy, Does this answer your question or give you some ideas? It was pointed out to me that this thread started June 8th, didn't see any other replies. DB On Wed, Jul 1, 2015 at 12:15 PM, Kenneth McRae <kenneth.mcrae () me com> wrote:
How stable can GRE transports and BGP sessions be when under load? I typically protect the BGP session by policing all traffic being delivered to the remote end except for BGP. Using this posture, my BGP session over GRE are stable; even under attack. Kenneth On Jun 30, 2015, at 01:37 PM, Dennis B <infinityape () gmail com> wrote: Roland, Agreed, Ramy's scenario was not truly spot on, but his question still remains. Perf implications when cloud security providers time to detect/mitigate is X minutes. How stable can GRE transports and BGP sessions be when under load? In my technical opinion, this is a valid argument, which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud. Good topic, already some back-chatter personal opinions from Nanog lurkers! Regards, Dennis B. On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins <rdobbins () arbor net> wrote: On 1 Jul 2015, at 1:37, Dennis B wrote: Would you like to learn more? lol I'm quite conversant with all these considerations, thanks. OP asserted that BGP sessions for diversion into any cloud DDoS mitigation service ran from the endpoint network through GRE tunnels to the cloud-based mitigation provider. I was explaining that in most cloud mitigation scenarios, GRE tunnels are used for re-injection of 'clean' traffic to the endpoint networks. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: GRE performance over the Internet - DDoS cloud mitigation Kenneth McRae (Jul 01)
- Re: GRE performance over the Internet - DDoS cloud mitigation Dennis B (Jul 01)