Getting hit hard by CHINANET

Roland Dobbins rdobbins at arbor.net
Wed Mar 18 09:49:15 UTC 2015


On 18 Mar 2015, at 13:32, Mark Tinka wrote:

> That's one of two issues - if the sources are overwhelming how does 
> one scale that up without the use of some scrubbing service? Writing 
> data plane filters that are customer-specific works (assuming you have 
> the hardware for it), but can get unwieldy.

Some operators have specialized DDoS mitigation capabilities.  Others 
rely exclusively on basic network infrastructure-based mechanisms like 
D/RTBH, S/RTBH, and/or flowspec.

> The other issues are the chance to boo-boo things when filtering a 
> customer-facing port, and/or forgetting to remove filters after they 
> are needed and customer (or the remote end) ends up having 
> reachability issues.

Sure.  But this doesn't obviate the fact that cooperative DDoS 
mitigation amongst network operators routinely takes place on the 
Internet today, and is increasingly made available in one form or 
another to end-customers who request same.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list