level3 dia egress filtering?

Christopher Rogers phiber at phiber.org
Mon May 12 22:27:26 UTC 2014


Not specific ports, but something more like:

'deny udp any my.target.slash.25 0.0.255.255'

BGP blackholing will obviously impact all traffic to a target.

-chris

2014-05-12 15:20 GMT-07:00 Bob Evans <bob at fiberinternetcenter.com>:

> Are you asking a transit network to filter specific ports as an end user
> or as an ISP who has Level 3 as a transit provider?
>
> I haven't seen a specific port could be dropped by any network....Only
> aware of BGP community string like, 3356:9999 - black hole (discard all
> traffic for specific IP range) traffic type abilities.
>
> We have and will filter specific ports for customers. But this port type
> ACL is completed by hand....I haven't seen anyone implement this using a
> BGP community string.
>
> Bob Evans
> CTO
> Fiber Internet CenterThank You
> Bob Evans
> CTO
>
>
> > We contacted Level3 a few weeks back, and were told that they do not
> > provide any filtering service.
> > I've not been able to confirm this from anyone else, besides the Level3
> > customer service rep we spoke with.
> >
> > Currently looking into a DDoS protection service from Akamai. Sounds
> > awesome what they can do, but often "awesome" translates to "overkill"
> > and/or "too expensive".
> >
> > -Petter
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Christopher
> > Rogers
> > Sent: Monday, May 12, 2014 2:47 PM
> > To: nanog at nanog.org
> > Subject: level3 dia egress filtering?
> >
> > Does anyone have any experience dealing with level3 in trying to get
> > egress filters applied to an internet dia link with them?
> >
> > I've been trying to get them to apply an egress filter to drop all of udp
> > to a certain /25 on my network that's been getting hammered by a dns
> > amplification attack, and I am being told that they can only 'drop an
> > entire protocol, and not to a specific ip address or range.'
> >
> > Can anyone confirm if that's the case?
> >
> > cheers
> > -chris
> >
>
>
>


More information about the NANOG mailing list