nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best way to get foreign ISPs to shut down DDoS reflectors?

From: William Herrin <bill () herrin us>
Date: Thu, 23 Apr 2020 15:16:27 -0700
On Thu, Apr 23, 2020 at 2:38 PM Shawn L via NANOG <nanog () nanog org> wrote:

This brings up an interesting question -- what is "good DDoS protection" on an ISP scale?  Apart from having enough 
bandwidth to weather the attack and having upstream providers attempt to filter it for you/


Hi Shawn,

I believe the normal mechanism is that you use BGP to sink the
impacted /24s at many high-bandwidth exchange points worldwide,
filter, and pass the traffic which  the filter accepts back to your
core infrastructure via a tunnel (VPN).

Build or buy.

If it's practical to sink the bandwidth near the DDOS target, I
wouldn't think it was much of a DDOS.

A question which interests me: How many attacks do folks find landing
in the middle-ground between "annoying but readily handled" and "far
beyond my ability?"

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: