DDOS solution recommendation
Ca By
cb.list6 at gmail.com
Sun Jan 11 15:23:47 UTC 2015
On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
> On 11 Jan 2015, at 20:52, Ca By wrote:
>
> 1. BCP38 protects your neighbor, do it.
>>
>
> It's to protect yourself, as well. You should do it all the way down to
> the transit customer aggregation edge, all the way down to the IDC access
> layer, etc.
>
> 2. Protect yourself by having your upstream police Police UDP to some
>> baseline you are comfortable with.
>>
>
> This will come back to haunt you, when the programmatically-generated
> attack traffic 'crowds out' the legitimate traffic and everything breaks.
>
> You can only really do this for ntp.
I do it for all UDP. There are bw policers and pps policers. As I said,
this is known to work for me. YMMV.
It is a managed risk, like anything. There are no silver bullets.
I feel bad for people developing things like QUIC and WebRTC on UDP. But.
i have already informed them of this risk to using UDP instead of a new L4
protocol.
Protip: UDP is a cesspool. Don't build things on a cesspool where the vast
majority of traffic is illegitimate. Guilty by association is a real
thing.
UDP will not have a renaissance
CB
>
>
> 3. Have RTBH ready for some special case.
>>
>
> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>
More information about the NANOG
mailing list