Re: GRE performance over the Internet - DDoS cloud mitigation

[Dennis B <infinityape () gmail com>]

Kenneth,

That would also be my recommendation to this scenario. The only caveat
would be to consider the risk in the service-policy dropping legit traffic
because the policy. Often times, the PPS rates of a DDoS attack fill's the
policy queue up with malicious packets, sending the legit packets into a
'blackhole' or whatever mechanism you use to discard.

Rate-limiters / QoS / Service-policies are good for some use cases but not
for others, I am confident we all agree.

In this case, "buying" time by implementing some initiate tactics to
maintain stability is well worth the risk of being hard down. While the
mean-time to detect, alert, start blocking, and stop the attack is being
completed by the Cloud Provider.

> From our perspective, we're talking 1 min averages with 5 min stop time for
L3/L4 attacks. Even if these situations were apparent, they'd be short
lived.

Ramy,

Does this answer your question or give you some ideas?

It was pointed out to me that this thread started June 8th, didn't see any
other replies.

DB




On Wed, Jul 1, 2015 at 12:15 PM, Kenneth McRae <kenneth.mcrae () me com> wrote:

> How stable can GRE transports and BGP sessions be when under load?
>
>
> I typically protect the BGP session by policing all traffic being
> delivered to the remote end except for BGP.  Using this posture, my BGP
> session over GRE are stable; even under attack.
>
> Kenneth
>
> On Jun 30, 2015, at 01:37 PM, Dennis B <infinityape () gmail com> wrote:
>
> Roland,
>
> Agreed, Ramy's scenario was not truly spot on, but his question still
> remains. Perf implications when cloud security providers time to
> detect/mitigate is X minutes. How stable can GRE transports and BGP
> sessions be when under load?
>
> In my technical opinion, this is a valid argument, which deems wide
> opinion. Specifically, use-cases about how to apply defense in depth
> logically in the DC vs Hybrid vs Pure Cloud.
>
> Good topic, already some back-chatter personal opinions from Nanog lurkers!
>
> Regards,
>
> Dennis B.
>
>
> On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins <rdobbins () arbor net>
> wrote:
>
>
> On 1 Jul 2015, at 1:37, Dennis B wrote:
>
>
> Would you like to learn more? lol
>
>
>
> I'm quite conversant with all these considerations, thanks.
>
>
> OP asserted that BGP sessions for diversion into any cloud DDoS mitigation
>
> service ran from the endpoint network through GRE tunnels to the
>
> cloud-based mitigation provider. I was explaining that in most cloud
>
> mitigation scenarios, GRE tunnels are used for re-injection of 'clean'
>
> traffic to the endpoint networks.
>
>
> -----------------------------------
>
> Roland Dobbins <rdobbins () arbor net>