Colocation providers and ACL requests

Jimmy Hess mysidia at gmail.com
Wed Nov 2 00:00:54 UTC 2011


On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch <kloch at kl.net> wrote:
> Christopher Pilkington wrote:
> We have always accommodated temporary ACL's for active DDOS attacks.  I
> think that is fairly standard across the ISP/hosting industry.

And it's reasonable to accomodate the customer that asks, and
reasonable for a customer to ask for
a temporary ACL in such situations.

However, it's also reasonable for the provider to refuse,  and there's
nothing wrong with that, unless the provider agreed that they would be
willing to do that, and then refused to do something they had already
agreed to do.

The provider might be especially dissuaded from responding and
providing a temporary
ACL for free if the DoS is a "small" one based on the provider's
definition of small,
or if the provider doesn't have  or won't allocate the resources to
respond, without
charging a fee to do so.

Or its a cut rate hosting service, and the customer refused to buy the
"managed filtering"
firewall  (or whatever solution).     In that case, it's reasonable
for the provider to counter the
request with  "You can buy our such and service, and we will gladly
implement that"


If this is something you want to be sure you can do,  then you should
ask the provider
about it before signing that colocation contract for IP connectivity,
and make sure you have it in writing
that the provider will create an ACL on your interface of sufficient
length to do what you want..

And be sure you have worked out  with the provider how this effects
billing in advance.
It's quite possible you still have to pay or have said dropped traffic
counted against your commit.

--
-JH




More information about the NANOG mailing list