Re: D/DoS mitigation hardware/software needed.

[Adrian Chadd <adrian () creative net au>]

On Tue, Jan 05, 2010, Stefan Fouant wrote:

> Almost all of the scalable DDoS mitigation architectures deployed in
> carriers or other large enterprises employ the use of an offramp method.
> These devices perform a lot better when you can forward just the subset of
> the traffic through as opposed to all.  It just a simple matter of using
> static routing / RTBH techniques / etc. to automate the offramp.

Has anyone deployed a DDoS distributed enough to inject ETOOMANY routes into
the hardware forwarding tables of routers?

I mean, I assume that there's checks and balances in place to limit
then number of routes being injected into the network so one doesn't
overload the tables, but what's the behaviour if/when this limit is
reached? Does mitigation cease being as effective?




Adrian