nanog mailing list archives
Re: BGP FlowSpec
From: "Alexander Maassen" <outsider () scarynet org>
Date: Mon, 2 May 2016 15:03:43 +0200
On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:
We use it effectively in a layered model where "Principle of Minimal Intervention" applies, allowing attack mitigation and traffic diversion in the most optimal place (e.g., at network ingress), and only scrubbing or diverting traffic when necessary.
Sorry to say, but the most optimal place for ddos mitigation is at network egress of origin. What comes in mind regarding that is the ability for target ASN telling source ASN to stop sending packets from a specific (let's say /29) in the case of a DDoS (with appropiate security measures in place off course). Because, let's face it, why would a target of a ddos need to nullroute itself?
Current thread:
- Re: BGP FlowSpec Danny McPherson (May 02)
- Re: BGP FlowSpec Alexander Maassen (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
- Re: BGP FlowSpec Danny McPherson (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
- Re: BGP FlowSpec Danny McPherson (May 02)
- Re: BGP FlowSpec Roland Dobbins (May 02)
- Re: BGP FlowSpec jim deleskie (May 02)
- Re: BGP FlowSpec Roland Dobbins (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
- Re: BGP FlowSpec Roland Dobbins (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
- Re: BGP FlowSpec Alexander Maassen (May 02)