level3 dia egress filtering?

• Previous message (by thread): level3 dia egress filtering?
• Next message (by thread): level3 dia egress filtering?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahh,  Yep, same thing port and/or protocol for an address range.  I haven't
seen that accomplished via BGP. I know ATT will do it - they want about 2K
more per month for that ability. All your traffic is redirected (extra
hops ) through a firewall. So, it's a basic expensive firewall service.

We have done both port based and protocol. But it gets installed by hand
only on the connected port the customer.

Bob Evans
CTO
Fiber Internet Center

> Not specific ports, but something more like:
>
> 'deny udp any my.target.slash.25 0.0.255.255'
>
> BGP blackholing will obviously impact all traffic to a target.
>
> -chris
>
> 2014-05-12 15:20 GMT-07:00 Bob Evans <bob at fiberinternetcenter.com>:
>
>> Are you asking a transit network to filter specific ports as an end user
>> or as an ISP who has Level 3 as a transit provider?
>>
>> I haven't seen a specific port could be dropped by any network....Only
>> aware of BGP community string like, 3356:9999 - black hole (discard all
>> traffic for specific IP range) traffic type abilities.
>>
>> We have and will filter specific ports for customers. But this port type
>> ACL is completed by hand....I haven't seen anyone implement this using a
>> BGP community string.
>>
>> Bob Evans
>> CTO
>> Fiber Internet CenterThank You
>> Bob Evans
>> CTO
>>
>>
>> > We contacted Level3 a few weeks back, and were told that they do not
>> > provide any filtering service.
>> > I've not been able to confirm this from anyone else, besides the
>> Level3
>> > customer service rep we spoke with.
>> >
>> > Currently looking into a DDoS protection service from Akamai. Sounds
>> > awesome what they can do, but often "awesome" translates to "overkill"
>> > and/or "too expensive".
>> >
>> > -Petter
>> >
>> > -----Original Message-----
>> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Christopher
>> > Rogers
>> > Sent: Monday, May 12, 2014 2:47 PM
>> > To: nanog at nanog.org
>> > Subject: level3 dia egress filtering?
>> >
>> > Does anyone have any experience dealing with level3 in trying to get
>> > egress filters applied to an internet dia link with them?
>> >
>> > I've been trying to get them to apply an egress filter to drop all of
>> udp
>> > to a certain /25 on my network that's been getting hammered by a dns
>> > amplification attack, and I am being told that they can only 'drop an
>> > entire protocol, and not to a specific ip address or range.'
>> >
>> > Can anyone confirm if that's the case?
>> >
>> > cheers
>> > -chris
>> >
>>
>>
>>
>

• Previous message (by thread): level3 dia egress filtering?
• Next message (by thread): level3 dia egress filtering?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]