nanog mailing list archives
Re: D/DoS mitigation hardware/software needed.
From: John Kristoff <jtk () cymru com>
Date: Tue, 5 Jan 2010 11:13:53 -0600
On Tue, 5 Jan 2010 04:20:51 +0000 "Dobbins, Roland" <rdobbins () arbor net> wrote:
S/RTBH and/or flow-spec are great DDoS mitigation tools which don't require any further investment beyond the network infrastructure an operator has already purchased and deployed. These should be the first mitigation tools anyone deploys; in many cases, they're all that's needed.
I still wish we would have had something like Bellovin's Pushback implemented as a separate protocol rather than flow-spec over BGP, but having lost that battle we have been playing around with a (free) community, but vetted participant, flow-spec over BGP service if folks are interested in trying it out. Just shoot me note offline. You need an ASN, a flow-spec capable router and must be a verifiable admin/sec contact for said ASN (whatever that means :-). Basic idea is for folks who want to receive one or more sets of flow-spec feeds and/or inject things they want others to filter on (limited to your own routes) you can do so. No need for direct peering and like you say Roland, many networks already have all they need to start doing these sorts of things. Please note, we realize there are a variety of issues in implementing this sort of thing, but if we can find a way to make it trustworthy and workable, that is why we're here. Those not familiar with flow-spec can read up: <http://tools.ietf.org/html/rfc5575> In a nutshell, distributed router filters via BGP. John
Current thread:
- Re: D/DoS mitigation hardware/software needed., (continued)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 05)
- Message not available
- Re: D/DoS mitigation hardware/software needed. Hank Nussbacher (Jan 06)
- Re: D/DoS mitigation hardware/software needed. Graeme Fowler (Jan 06)
- Re: D/DoS mitigation hardware/software needed. Rob Shakir (Jan 06)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 04)
- Re: D/DoS mitigation hardware/software needed. John Kristoff (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Rick Ernst (Jan 05)
- Re: D/DoS mitigation hardware/software needed. jul (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 10)