[AusNOG] DDOS mitigation
Chris Chaundy
chris.chaundy at gmail.com
Thu May 9 18:38:35 EST 2013
Well Nextgen offers RTBH, as do Tata/VSNL, Verizon and NTT and others mentioned. Start the process of elimination. :-)
BTW, we modify/propagate the community where possible to stop things closer to the source.
Re: S/RTBH, we use customer ingress filtering and we don't trust customers to apply this (easy to accidentally or deliberately take out someone else, see 4.1 in the RFC noted below), but we can apply this from the NOC after vetting things. The one drawback is that you really need to carry full routing tables everywhere.
Cheers, Chris Chaundy
Sent from my iPad
On 09/05/2013, at 6:12 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>
> On May 9, 2013, at 1:37 PM, Matt Carter wrote:
>
>> Consider if you want to blackhole a /32 because it is under attack, with some of the bit rates seem of recent attacks, its potentially/likely affecting the upstream provider aswell and may have impact to their other customers or at least a segment of their access network.
>
> It's odd how folks still tend to focus on destination-based blackholing, when S/RTBH works quite well:
>
> <http://tools.ietf.org/html/rfc5635>
>
> <https://www.box.com/s/xznjloitly2apixr5xge>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list