level3 dia egress filtering?
bob at FiberInternetCenter.com
Mon May 12 23:22:57 UTC 2014
Ahh, Yep, same thing port and/or protocol for an address range. I haven't
seen that accomplished via BGP. I know ATT will do it - they want about 2K
more per month for that ability. All your traffic is redirected (extra
hops ) through a firewall. So, it's a basic expensive firewall service.
We have done both port based and protocol. But it gets installed by hand
only on the connected port the customer.
Fiber Internet Center
> Not specific ports, but something more like:
> 'deny udp any my.target.slash.25 0.0.255.255'
> BGP blackholing will obviously impact all traffic to a target.
> 2014-05-12 15:20 GMT-07:00 Bob Evans <bob at fiberinternetcenter.com>:
>> Are you asking a transit network to filter specific ports as an end user
>> or as an ISP who has Level 3 as a transit provider?
>> I haven't seen a specific port could be dropped by any network....Only
>> aware of BGP community string like, 3356:9999 - black hole (discard all
>> traffic for specific IP range) traffic type abilities.
>> We have and will filter specific ports for customers. But this port type
>> ACL is completed by hand....I haven't seen anyone implement this using a
>> BGP community string.
>> Bob Evans
>> Fiber Internet CenterThank You
>> Bob Evans
>> > We contacted Level3 a few weeks back, and were told that they do not
>> > provide any filtering service.
>> > I've not been able to confirm this from anyone else, besides the
>> > customer service rep we spoke with.
>> > Currently looking into a DDoS protection service from Akamai. Sounds
>> > awesome what they can do, but often "awesome" translates to "overkill"
>> > and/or "too expensive".
>> > -Petter
>> > -----Original Message-----
>> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Christopher
>> > Rogers
>> > Sent: Monday, May 12, 2014 2:47 PM
>> > To: nanog at nanog.org
>> > Subject: level3 dia egress filtering?
>> > Does anyone have any experience dealing with level3 in trying to get
>> > egress filters applied to an internet dia link with them?
>> > I've been trying to get them to apply an egress filter to drop all of
>> > to a certain /25 on my network that's been getting hammered by a dns
>> > amplification attack, and I am being told that they can only 'drop an
>> > entire protocol, and not to a specific ip address or range.'
>> > Can anyone confirm if that's the case?
>> > cheers
>> > -chris
More information about the NANOG