BGP FlowSpec

Mon May 2 22:38:53 UTC 2016

> Am 03.05.2016 um 00:06 schrieb Roland Dobbins <rdobbins at arbor.net>:
> 
> On 3 May 2016, at 4:51, jim deleskie wrote:
> 
>> I was going to avoid this thread because I've never been a huge fan of Flowspec for my own reasons.
> 
> Flowspec is an extremely useful tool, IMHO - not only for direct, layer-4-granular mitigation leveraging linecard ASICs, but for more granular and selective diversion into mitigation centers, as well.  And its value is growing with increased platform support.  It isn't perfect (nothing is), and operators must be aware of its performance/scalability envelope on a given platform, but it's a great tool to have in the toolbox.
+1

> 
>> I can say I, nor any of my peers ( in any sense of that word) that I have known, have wanted to keep "bad " traffic on our networks so we can bill for it.
> 
> +1!
> 
> I ran into this situation precisely twice early in the 'oughts ("Let the packets come!" was the quote which stood out in my mind); those espousing it pretty quickly changed their tunes once their networks had been knocked flat a couple of times.
Let the packets come is not the message. But an upstream ISP can either drop the traffic to reduce the impact on the own network and the customers which are not attacked directly or remark and/or rate-limit the particular flows with nearly, of course not for the customer under attack, the same result. And please don’t get me wrong. I am not a fan of implementing it that way. 

I also want to add something to keeping bad traffic: Well, nobody wants to keep bad traffic. But that does not imply that all upstream ISPs are filtering out attacks by default for customers which are not paying for that. This is at least my interpretation from reading the various available DDoS reports and research papers. 

> 
> ;>
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>