DDOS, IDS, RTBH, and Rate limiting

Frank Bulk frnkblk at iname.com
Sun Nov 9 05:31:31 UTC 2014

But that's my point: many small operators don't have tools and/or staff to
identify flows in order to police and/or drop the traffic, and definitely
not a NOC that can intervene in under 5 minutes.  How much simpler if there
was a generic rule that said "no one IP can receive more than 200 Mbps", log
on that, and then if it takes 30 or 90 minutes for someone to react, that's
fine, but in the meantime other customers weren't affected.


-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of joel jaeggli
Sent: Saturday, November 08, 2014 11:22 PM
To: Roland Dobbins; NANOG
Subject: Re: DDOS, IDS, RTBH, and Rate limiting

On 11/8/14 6:28 PM, Roland Dobbins wrote:
> On 9 Nov 2014, at 8:59, Frank Bulk wrote:
>> I've written it before: if there was a software feature in routers
>> where I
>> could specify the maximum rate any prefix size (up to /32) could receive,
>> that would be very helpful.
> QoS generally isn't a suitable mechanism for DDoS mitigation, as the
> programmatically-generated attack traffic ends up 'crowding out'
> legitimate traffic.

if you can identify attack traffic well enough to police it reliably
then you can also drop it on the floor.

> S/RTBH, flowspec, and other methods tend to produce better results.


> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>

More information about the NANOG mailing list