Re: automatic rtbh trigger using flow data

[Baldur Norddahl <baldur.norddahl () gmail com>]

I would redirect the packet to a VRF with one global drop UDP ACL. That
scales perfectly. There is probably many ways to implement such a feature.


søn. 2. sep. 2018 11.07 skrev Ryan Hamel <Ryan.Hamel () quadranet com>:

> Baldur,
>
>
>
> Modifying the routing table with a next-hop change from a community, is
> different than having a line card filtering packets at layer 4, of course
> most if not all carriers will support it. Instead of doing normal TCAM
> route lookups, you’re getting into packet inspection territory, which is
> something completely different.
>
>
>
> Just quickly reading the ASR 9K documentation, it can only support 3K
> rules per system. Juniper – 8K, Alcatel-Lucent – 512. That’s pretty low
> considering I can put many /32s into a routing table very easily and
> without hassle.
>
>
>
> As I said before, no ISP is going to offer such filtering services for
> free when DDoS mitigation is a cash cow.
>
>
>
> Ryan Hamel
>
>
>
> *From:* NANOG <nanog-bounces () nanog org> *On Behalf Of *Baldur Norddahl
> *Sent:* Sunday, September 02, 2018 1:42 AM
> *To:* nanog () nanog org
> *Subject:* Re: automatic rtbh trigger using flow data
>
>
>
> This is not true. Some of our transits do RTBH for free. For example
> Cogent.
>
>
>
> They will not do FlowSpec. Maybe their equipment can not do it or for some
> other reason.
>
>
>
> However RTBH is a simple routing hack that can be implemented on any
> router. The traffic is dropped right at the edge and is never transported
> on the transit provider network. In that sense it also protects the transit
> network.
>
>
>
> RTBH only for UDP would also be a very simple hack on many routers.
>
>
>
> It might not be FlowSpec, but it may have most of the benefit, in a much
> simplified way.
>
>
>
> Regards
>
>
>
> Baldur
>
>
>
>
>
> søn. 2. sep. 2018 02.39 skrev Ryan Hamel <Ryan.Hamel () quadranet com>:
>
> No ISP is in the business of filtering traffic unless the client pays the
> hefty fee since someone still has to tank the attack.
>
>
>
> I also don’t think there is destination prefix IP filtering in flowspec,
> which could seriously cause problems.
>
>
>
> *From:* NANOG <nanog-bounces () nanog org> *On Behalf Of *Baldur Norddahl
> *Sent:* Saturday, September 01, 2018 5:18 PM
> *To:* nanog () nanog org
> *Subject:* Re: automatic rtbh trigger using flow data
>
>
>
>
>
> fre. 31. aug. 2018 17.16 skrev Hugo Slabbert <hugo () slabnet com>:
>
>
>
> I would love an upstream that accepts flowspec routes to get granular
> about
> drops and to basically push "stateless ACLs" upstream.
>
> _keeps dreaming_
>
>
>
>
>
> We just need a signal to drop UDP for a prefix. The same as RTBH but only
> for UDP. This would prevent all volumetric attacks without the end user
> being cut off completely.
>
>
>
> Besides from some games, VPN and VoIP, they would have an almost
> completely normal internet experience. DNS would go through the ISP servers
> and only be affected if the user is using a third party service.
>
>
>
> Regards
>
>
>
> Baldur