NANOG Digest, Vol 89, Issue 8
Ramy Hashish
ramy.ihashish at gmail.com
Mon Jun 8 15:18:21 UTC 2015
>
>
> On 8 Jun 2015, at 17:57, Ramy Hashish wrote:
>
> > a BGP session has to be established over a GRE tunnel over the
> > internet between the ISP/NSP/DC and the cloud scrubbing center,
>
> This is incorrect.
>
> In most cloud overlay DDoS mitigation scenarios (e.g., end-customer
> obtains service from an MSSP which isn't providing them with transit),
> a) there is no BGP relationship whatsoever between the end-customer and
> the MSSP, and b) the GRE tunnel is used strictly for re-injection of
> clean traffic (i.e., post-mitigation) to the end-customer.
>
> In some scenarios, DNS is also used in place of/in addition to BGP-based
> diversion.
>
> But GRE is used for re-injection only.
>
>
>
Roland, I am talking about the case where the ISP/NSP is having their own
DDoS mitigation solution -to protect their NW infrastructure- and then
providing the service to their end customers. However I have some concerns
on your comments:
Even if the transit provider won't be involved in the mitigation process
and the GRE tunnel is used only for injecting the traffic back to the end
customer, the customer's dirty traffic will pass through some congestion
points (most likely near the IGWs) throughout the transit provider network.
And concerning point b) as per Arbor representatives in my region, Arbor's
system takes up to five minutes to mitigate the attack (starting from the
hit of the first dirty packet), so there will be a period of time where the
dirty traffic (or at least some of it) will be coming down all the way to
the end customer until you completely mitigate the attack.
I hope now it become more clear.
Ramy
More information about the NANOG
mailing list