nanog mailing list archives
Re: DDOS, IDS, RTBH, and Rate limiting
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Sun, 09 Nov 2014 10:27:27 +0700
On 9 Nov 2014, at 10:12, Jon Lewis wrote:
The tricky part is when to remove the route...since you can't tell if the attack has ended while the target is black holed by your upstreams.
You can with NetFlow, if you've D/RTBHed the IP in question on your own infrastructure. NetFlow reports statistics on dropped traffic (except on a few platforms with implementation deficiencies).
But this kind of thing punishes the victim. It's far better to do everything possible to *protect* the target(s) of an attack, and only use D/RTBH as a last resort.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- DDOS, IDS, RTBH, and Rate limiting Eric C. Miller (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 09)
- Re: DDOS, IDS, RTBH, and Rate limiting Matt Palmer (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)