Evaluating Tier 1 Internet providers

Tore Anderson tore at fud.no
Wed Aug 28 07:37:14 UTC 2013

* Richard Hesse

> On Tue, Aug 27, 2013 at 12:14 PM, Joe Abley <jabley at hopcount.ca> wrote:
>>   - response you can expect when you call one day and say "our 10GE is
>> maxed out with inbound traffic from apparently everywhere, it has been
>> going on for an hour, please help"
> That was good for a laugh.
> If it's a DoS, you know what the answer already is. "We no longer offer
> filtering for any of our customers. You must upgrade to the DDoS prevention
> service." We've actually made a list of other companies that share our
> providers' downstream links in each facility and reached out to them. We
> get them to call up and complain to said tier1 provider that "something is
> affecting our traffic." That usually gets filters installed....otherwise no
> dice.

Several providers have a self-service blackholing functionality which
may alleviate DDoS attacks. Typically you announce the attacked /32 or a
/128 to your upstreams, tagged with some special blackhole community,
and/or to a special multihop BGP session dedicated for blackholing
purposes. Doing so will cause your upstreams to automatically drop the
attack traffic within their network, *before* it gets to saturate your

Clearly, this is a blunt and last-resort type of tool which will cement
the efficiency of the attack from a global perspective, but that may be
an acceptable trade-off depending on the circumstances; you may prevent
collateral damage from impacting your other customers, and by cutting
out global attack traffic might enable the attacked customer to serve
his primary markets just fine through local peering sessions, regional
transits, and so forth.

I'm not buying transit from a network that don't give me such
blackholing functionality, FWIW.


More information about the NANOG mailing list