D/DoS mitigation hardware/software needed.
nanog at shreddedmail.com
Mon Jan 11 19:16:50 UTC 2010
Right. Some providers allow you to BGP community trigger RTBH. There was a
separate mention of D/DoS-mitigation-providers using DNS and BGP tunneling.
On Mon, Jan 11, 2010 at 8:14 AM, Stefan Fouant <
sfouant at shortestpathfirst.net> wrote:
> > -----Original Message-----
> > From: Rick Ernst [mailto:nanog at shreddedmail.com]
> > Sent: Monday, January 11, 2010 10:39 AM
> > To: NANOG
> > Subject: Re: D/DoS mitigation hardware/software needed.
> > As a service-provider/data-center, it seems like outsourcing would be
> > either
> > ineffective and/or removes the "big red button" in case of trouble.
> > Am I missing something, overly paranoid, or are there other mechanisms
> > for
> > outsourced protection?
> In fact, quite the opposite. Those providers who do offer DDoS mitigation
> services usually allow the customer to trigger the redirect in a manner
> similar to RTBHs by substituting the blackhole community for some type of
> mitigation community. This causes the Provider's edge router (or Route
> Server) to advertise the affected route within the Service Provider's
> network with a next-hop of the scrubbers.
> There are some providers who do auto-mitigation on behalf of the customer,
> but IMO this approach is asking for trouble.
> Stefan Fouant, CISSP, JNCIE-M/T
> GPG Key ID: 0xB5E3803D
More information about the NANOG