level3 dia egress filtering?
phiber at phiber.org
Mon May 12 22:27:26 UTC 2014
Not specific ports, but something more like:
'deny udp any my.target.slash.25 0.0.255.255'
BGP blackholing will obviously impact all traffic to a target.
2014-05-12 15:20 GMT-07:00 Bob Evans <bob at fiberinternetcenter.com>:
> Are you asking a transit network to filter specific ports as an end user
> or as an ISP who has Level 3 as a transit provider?
> I haven't seen a specific port could be dropped by any network....Only
> aware of BGP community string like, 3356:9999 - black hole (discard all
> traffic for specific IP range) traffic type abilities.
> We have and will filter specific ports for customers. But this port type
> ACL is completed by hand....I haven't seen anyone implement this using a
> BGP community string.
> Bob Evans
> Fiber Internet CenterThank You
> Bob Evans
> > We contacted Level3 a few weeks back, and were told that they do not
> > provide any filtering service.
> > I've not been able to confirm this from anyone else, besides the Level3
> > customer service rep we spoke with.
> > Currently looking into a DDoS protection service from Akamai. Sounds
> > awesome what they can do, but often "awesome" translates to "overkill"
> > and/or "too expensive".
> > -Petter
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Christopher
> > Rogers
> > Sent: Monday, May 12, 2014 2:47 PM
> > To: nanog at nanog.org
> > Subject: level3 dia egress filtering?
> > Does anyone have any experience dealing with level3 in trying to get
> > egress filters applied to an internet dia link with them?
> > I've been trying to get them to apply an egress filter to drop all of udp
> > to a certain /25 on my network that's been getting hammered by a dns
> > amplification attack, and I am being told that they can only 'drop an
> > entire protocol, and not to a specific ip address or range.'
> > Can anyone confirm if that's the case?
> > cheers
> > -chris
More information about the NANOG