D/DoS mitigation hardware/software needed.

Dobbins, Roland rdobbins at arbor.net
Tue Jan 5 05:08:27 UTC 2010

On Jan 5, 2010, at 12:05 PM, Rick Ernst wrote:

> A solution preferably that integrates with NetFlow and RTBH.  An in-line solution obviously requires an appliance, or at least special/additional hardware.

The key is to not be inline all the time, but only inline *when needed*.  This removes operational complexity, provides the ability to oversubscribe, and simplifies the routine troubleshooting matrix.

> I'm looking at taking the first whack at immediate mitigation at the border/edge (upstream) via uRPF and RTBH.  

Good plan.

> Additional mitigation would be  via manual or automatic RTBH or security/[email protected] involvement with upstreams.

Automagic is generally bad, as it can be gamed.  

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the NANOG mailing list