DDOS, IDS, RTBH, and Rate limiting

joel jaeggli joelja at bogus.com
Sun Nov 9 05:22:05 UTC 2014


On 11/8/14 6:28 PM, Roland Dobbins wrote:
> 
> On 9 Nov 2014, at 8:59, Frank Bulk wrote:
> 
>> I've written it before: if there was a software feature in routers
>> where I
>> could specify the maximum rate any prefix size (up to /32) could receive,
>> that would be very helpful.
> 
> QoS generally isn't a suitable mechanism for DDoS mitigation, as the
> programmatically-generated attack traffic ends up 'crowding out'
> legitimate traffic.

if you can identify attack traffic well enough to police it reliably
then you can also drop it on the floor.

> S/RTBH, flowspec, and other methods tend to produce better results.

yup.

> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141108/c29b69ab/attachment.pgp>


More information about the NANOG mailing list