Getting hit hard by CHINANET
Mark Tinka
mark.tinka at seacom.mu
Wed Mar 18 06:32:36 UTC 2015
On 18/Mar/15 08:19, Roland Dobbins wrote:
>
>
> The assumption is that that OP is an end-customer/endpoint network,
> and willing to pay for same, if necessary.
My general experience is that customers are not willing to pay for
implementation of data plane filters. They'd be willing to pay for
traffic scrubbing, however.
>
> Even if that's not the case, that's how DDoS attacks are routinely and
> cooperatively mitigated between providers, when it's possible to block
> based on source, number of sources isn't overwhelming, etc.
That's one of two issues - if the sources are overwhelming how does one
scale that up without the use of some scrubbing service? Writing data
plane filters that are customer-specific works (assuming you have the
hardware for it), but can get unwieldy.
The other issues are the chance to boo-boo things when filtering a
customer-facing port, and/or forgetting to remove filters after they are
needed and customer (or the remote end) ends up having reachability issues.
Mark.
More information about the NANOG
mailing list