DDOS solution recommendation

Ca By cb.list6 at gmail.com
Sun Jan 11 15:23:47 UTC 2015


On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins at arbor.net> wrote:

>
> On 11 Jan 2015, at 20:52, Ca By wrote:
>
>  1. BCP38 protects your neighbor, do it.
>>
>
> It's to protect yourself, as well.  You should do it all the way down to
> the transit customer aggregation edge, all the way down to the IDC access
> layer, etc.
>
>  2.  Protect yourself by having your upstream police Police UDP to some
>> baseline you are comfortable with.
>>
>
> This will come back to haunt you, when the programmatically-generated
> attack traffic 'crowds out' the legitimate traffic and everything breaks.
>
> You can only really do this for ntp.


I do it for all UDP.  There are bw policers and pps policers.  As I said,
this is known to work for me.  YMMV.

It is a managed risk, like anything.  There are no silver bullets.

I feel bad for people developing things like QUIC and WebRTC on UDP.  But.
i have already informed them of this risk to using UDP instead of a new L4
protocol.

Protip: UDP is a cesspool.  Don't build things on a cesspool where the vast
majority of traffic is illegitimate.   Guilty by association is a real
thing.

 UDP will not have a renaissance

CB

>
>
>  3.  Have RTBH ready for some special case.
>>
>
> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>



More information about the NANOG mailing list