RE: Over a decade of DDOS--any progress yet?

[Drew Weaver <drew.weaver () thenap com>]

Upstream providers generally have a hard time allowing you to write routes that you don't own into their table(s).

thanks,
-Drew


-----Original Message-----
From: Chris Boyd [mailto:cboyd () gizmopartners com] 
Sent: Wednesday, December 08, 2010 2:19 PM
To: NANOG
Subject: Re: Over a decade of DDOS--any progress yet?


On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote:

>       Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input 
> interface of 10Mbps there is not much that you can do.


Hmm.  What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find 
specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that 
tell your peer router to drop traffic from those addresses.  That way the target of the traffic can continue to 
function if the DDoS traffic doesn't closely mimic the normal traffic.

Your BGP peer router would need to have lots of memory for /32 or /64 routes though.

Anyone heard of such a beast?  Or is this how the stuff from places like Arbor Networks do their thing?

--Chris