<p>good points. and this is why it falls back on the originating networks to fix their problems ie udp spoof so that they arent sending so much traffic in the first place. obviously not much of a fix and they have no motivation to ( more traffic out = more transit sold to downstreams).. but...</p>
<p>sent from android</p>
<div class="gmail_quote">On May 12, 2013 9:22 AM, "Phillip Grasso" <<a href="mailto:phillip.grasso@gmail.com">phillip.grasso@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>my pessimistic 2cents. </div><div><br></div>Attack volumes should continue to grow proportionally with defensive capability, the capability would reduce to fewer possible attackers (less script kiddies, more large scale professional botnets and state sponsored ops). 40-100G attacks happen now for big targets but my guess it will be common place for rest of market in near future. The bigger risk is how does this affect the second / third tier service providers not able to protect themselves from these types of attacks and what "protection" costs would be required from upstream providers. Already some large providers charge for "DDoS protection". <div>
<br></div><div><div>Capacity based DDoS attacks obviously can hurt, but its well known and mostly can be overcome with some filtering, blackholing etc. There are other vectors are increasingly growing concerned e.g. Rolands prior ausnog talk; (where firewalls fall over). Infrastructure weakness attacks can have a greater impact for more sustained period. attacking specific weaknesses in BGP or TCP stacks, or exceeding forwarding rates on devices (not capacity). </div>
</div><div><br></div><div>On another note; </div><div>There's a possible huge economic and market cost here; it "may" mean that smaller players have harder time to operate against the larger operators that can provide protections at scale. It requires players to have significantly greater amount of network capacity (or infrastructure hardware capacity then needed) A large player can do with less of this and overall percentage of headroom may be minimal. It would be really hard for smaller operators to exist in market without clear 'protection' from larger operators / upstreams. </div>
<div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 10, 2013 at 11:18 PM, James Braunegg <span dir="ltr"><<a href="mailto:james.braunegg@micron21.com" target="_blank">james.braunegg@micron21.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Roland<br>
<br>
Nice feature.... back to school I must go ;)<br>
<div><br>
Kindest Regards<br>
<br>
James Braunegg<br>
W: <a href="tel:1300%20769%20972" value="+611300769972" target="_blank">1300 769 972</a> | M: <a href="tel:0488%20997%20207" value="+61488997207" target="_blank">0488 997 207</a> | D: <a href="tel:%2803%29%209751%207616" value="+61397517616" target="_blank">(03) 9751 7616</a><br>
E: <a href="mailto:james.braunegg@micron21.com" target="_blank">james.braunegg@micron21.com</a> | ABN: <a href="tel:12%20109%20977%20666" value="+12109977666" target="_blank">12 109 977 666</a> <br>
<br>
<br>
<br>
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a> [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Dobbins, Roland<br>
</div><div>Sent: Friday, May 10, 2013 11:13 PM<br>
To: <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
Subject: Re: [AusNOG] DDOS mitigation<br>
<br>
<br>
</div><div><div>On May 10, 2013, at 7:51 PM, James Braunegg wrote:<br>
<br>
> Have you had enough capacity to be able to absorb attacks thus collect metrics or have the attacks been larger than your capacity and hence requiring the need for S/RTBH thus losing the ability to measure the true size of the attack ?<br>
<br>
S/RTBH doesn't in and of itself take away one's visibility into traffic on platforms with decent flow telemetry support - dropped traffic is still tabulated, with the destination ifindex set to 0.<br>
<br>
Notable exceptions are pre-Sup2T Cisco 6500s/7600s, & pre-Sup7 Cisco 4500s.<br>
<br>
-----------------------------------------------------------------------<br>
Roland Dobbins <<a href="mailto:rdobbins@arbor.net" target="_blank">rdobbins@arbor.net</a>> // <<a href="http://www.arbornetworks.com" target="_blank">http://www.arbornetworks.com</a>><br>
<br>
Luck is the residue of opportunity and design.<br>
<br>
-- John Milton<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div>