DDOS solution recommendation

Tore Anderson tore at fud.no
Mon Jan 12 09:51:58 UTC 2015

* "Roland Dobbins" <rdobbins at arbor.net>

> On 12 Jan 2015, at 16:19, Tore Anderson wrote:
> > I'd love to use flowspec over D/RTBH, but to me it seems like 
> > vapourware.
> I meant on your own infrastructure, apologies for the confusion.

Right. So if I first need to accept the traffic onto my infrastructure
before I can discard it, I'm dead in the water anyway: My uplinks will
sit there at 100% ingress utilisation, dropping legitimate traffic.
/32 or /128 D/RTBH announcements towards my transits is my only real
option at this point. That helps protect against collateral damage, and
if the customer's audience is local, it can also restore full operation
for the attacked customer's primary markets (which are usually reached
via peers instead of transits).

For attacks that are conveniently sized smaller than my upstream
capacity, I could see that flowspec could be useful, but not in a
unique way, as inside my own network I can easily distribute targeted
stateless discard ACLs in many other ways too (I use Netconf currently).

> Transit providers utilizing Juniper aggregation edge routers could do it 
> now - why they don't, I don't know.

I'd definitively be willing to pay a premium for such a feature.


More information about the NANOG mailing list