Re: Getting hit hard by CHINANET

[Mark Tinka <mark.tinka () seacom mu>]

On 18/Mar/15 08:19, Roland Dobbins wrote:
> The assumption is that that OP is an end-customer/endpoint network, 
> and willing to pay for same, if necessary.

My general experience is that customers are not willing to pay for 
implementation of data plane filters. They'd be willing to pay for 
traffic scrubbing, however.

> Even if that's not the case, that's how DDoS attacks are routinely and 
> cooperatively mitigated between providers, when it's possible to block 
> based on source, number of sources isn't overwhelming, etc.

That's one of two issues - if the sources are overwhelming how does one 
scale that up without the use of some scrubbing service? Writing data 
plane filters that are customer-specific works (assuming you have the 
hardware for it), but can get unwieldy.

The other issues are the chance to boo-boo things when filtering a 
customer-facing port, and/or forgetting to remove filters after they are 
needed and customer (or the remote end) ends up having reachability issues.

Mark.