Re: DDOS solution recommendation

[Dave Bell <me () geordish org>]

Maybe try the Cisco CSR1000v. In the trial mode it won't give you a
decent throughput, but should have all features enabled.

On 11 January 2015 at 15:02, Ammar Zuberi <ammar () fastreturn net> wrote:
> I’m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper 
> routers, but they are in production and I don’t think I want to touch flowspec on them just yet.
>
> Does anyone have any experience or any ideas here? Even openbgpd?
>
> > On Jan 11, 2015, at 6:58 PM, Roland Dobbins <rdobbins () arbor net> wrote:
> >
> >
> > On 11 Jan 2015, at 20:52, Ca By wrote:
> >
> > > 1. BCP38 protects your neighbor, do it.
> >
> > It's to protect yourself, as well.  You should do it all the way down to the transit customer aggregation edge, all 
> > the way down to the IDC access layer, etc.
> >
> > > 2.  Protect yourself by having your upstream police Police UDP to some
> > > baseline you are comfortable with.
> >
> > This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate 
> > traffic and everything breaks.
> >
> > You can only really do this for ntp.
> >
> > > 3.  Have RTBH ready for some special case.
> >
> > S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
> >
> > -----------------------------------
> > Roland Dobbins <rdobbins () arbor net>