DDOS, IDS, RTBH, and Rate limiting
joel jaeggli
joelja at bogus.com
Sun Nov 9 05:22:05 UTC 2014
On 11/8/14 6:28 PM, Roland Dobbins wrote:
>
> On 9 Nov 2014, at 8:59, Frank Bulk wrote:
>
>> I've written it before: if there was a software feature in routers
>> where I
>> could specify the maximum rate any prefix size (up to /32) could receive,
>> that would be very helpful.
>
> QoS generally isn't a suitable mechanism for DDoS mitigation, as the
> programmatically-generated attack traffic ends up 'crowding out'
> legitimate traffic.
if you can identify attack traffic well enough to police it reliably
then you can also drop it on the floor.
> S/RTBH, flowspec, and other methods tend to produce better results.
yup.
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141108/c29b69ab/attachment.sig>
More information about the NANOG
mailing list