[AusNOG] DDOS mitigation
Dobbins, Roland
rdobbins at arbor.net
Fri May 10 07:07:19 EST 2013
On May 9, 2013, at 11:11 PM, David Miller wrote:
> +1 No transit providers provide S/RTBH to customers for the reasons pointed out above and in the RFC. Perhaps very few transit providers
> offer it to customers, I've never seen it. I would be greatly concerned by any provider that did offer it to any customer other than me.
My point in bringing up S/RTBH was to note that one isn't limited to 'destroying the village in order to save it' via D/RTBH, and that there are in fact creative ways that operators can more safely provide their downstream customers with S/RTBH capability, such as a dual-advertisement strategy which a) triggers diversion of traffic destined to the attack targets into a mitigation center and b) denotes the attack source(s) to be dropped on the mitigation center coreward interfaces, thus only dropping traffic emanating from said attack sources and destined for attack targets whose traffic is being diverted through the mitigation center gateways.
> What we should ALL be shouting at router vendors and transit providers to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).
Yes, absolutely; it should be included in all router and layer-3 switch RFPs as a hard requirement.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the AusNOG
mailing list