D/DoS mitigation hardware/software needed.

John Kristoff jtk at cymru.com
Tue Jan 5 11:13:53 CST 2010


On Tue, 5 Jan 2010 04:20:51 +0000
"Dobbins, Roland" <rdobbins at arbor.net> wrote:

> S/RTBH and/or flow-spec are great DDoS mitigation tools which don't
> require any further investment beyond the network infrastructure an
> operator has already purchased and deployed.  These should be the
> first mitigation tools anyone deploys; in many cases, they're all
> that's needed.

I still wish we would have had something like Bellovin's Pushback
implemented as a separate protocol rather than flow-spec over BGP, but
having lost that battle we have been playing around with a (free)
community, but vetted participant, flow-spec over BGP service if folks
are interested in trying it out. Just shoot me note offline.  You need
an ASN, a flow-spec capable router and must be a verifiable admin/sec
contact for said ASN (whatever that means :-).

Basic idea is for folks who want to receive one or more sets of
flow-spec feeds and/or inject things they want others to filter on
(limited to your own routes) you can do so.  No need for direct
peering and like you say Roland, many networks already have all they
need to start doing these sorts of things.

Please note, we realize there are a variety of issues in implementing
this sort of thing, but if we can find a way to make it trustworthy and
workable, that is why we're here.

Those not familiar with flow-spec can read up:

  <http://tools.ietf.org/html/rfc5575>

In a nutshell, distributed router filters via BGP.

John




More information about the NANOG mailing list