DDOS, IDS, RTBH, and Rate limiting

Frank Bulk frnkblk at iname.com
Sun Nov 9 02:42:38 UTC 2014

There's no doubt, rate-limiting is a poor-man's way of getting the job done,
but for small operators who aren't as well instrumented (whether that due to
staff or resources), a simple rule such as:
	access-list 100 ip host rate-limit 200000
	access-list 100 ip host rate-limit 5000000
	int vlan 10
        description Internet uplink
	 ip access-group 100 in
would be great.

Yes, the /32 under attack would essentially be out of service, but at least
the downstream network doesn't get congested and more customers affected.


-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Roland Dobbins
Sent: Saturday, November 08, 2014 8:28 PM
Subject: Re: DDOS, IDS, RTBH, and Rate limiting

On 9 Nov 2014, at 8:59, Frank Bulk wrote:

> I've written it before: if there was a software feature in routers 
> where I
> could specify the maximum rate any prefix size (up to /32) could 
> receive,
> that would be very helpful.

QoS generally isn't a suitable mechanism for DDoS mitigation, as the 
programmatically-generated attack traffic ends up 'crowding out' 
legitimate traffic.

S/RTBH, flowspec, and other methods tend to produce better results.

Roland Dobbins <rdobbins at arbor.net>

More information about the NANOG mailing list