nanog mailing list archives

Re: BGP FlowSpec

From: "Alexander Maassen" <outsider () scarynet org>
Date: Mon, 2 May 2016 15:03:43 +0200

On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:

We use it effectively in a layered model where "Principle of Minimal
Intervention" applies, allowing attack mitigation and traffic diversion
in the most optimal place (e.g., at network ingress), and only scrubbing
or diverting traffic when necessary.


Sorry to say, but the most optimal place for ddos mitigation is at network
egress of origin. What comes in mind regarding that is the ability for
target ASN telling source ASN to stop sending packets from a specific
(let's say /29) in the case of a DDoS (with appropiate security measures
in place off course).

Because, let's face it, why would a target of a ddos need to nullroute
itself?

Current thread:

Re: BGP FlowSpec Danny McPherson (May 02)
- Re: BGP FlowSpec Alexander Maassen (May 02)
  - Re: BGP FlowSpec Martin Bacher (May 02)
    - Re: BGP FlowSpec Danny McPherson (May 02)
- Re: BGP FlowSpec Martin Bacher (May 02)
  - Re: BGP FlowSpec Danny McPherson (May 02)
  - Re: BGP FlowSpec Roland Dobbins (May 02)
    - Re: BGP FlowSpec jim deleskie (May 02)
    - Re: BGP FlowSpec Roland Dobbins (May 02)
    - Re: BGP FlowSpec Martin Bacher (May 02)
    - Re: BGP FlowSpec Roland Dobbins (May 02)
    - Re: BGP FlowSpec Martin Bacher (May 02)

(Thread continues...)