DDoS mitigation for ISPs

Mike mike-nanog at tiedyenetworks.com
Thu Oct 29 15:42:31 UTC 2015


     Is there any DDoS mitigation service provider that can scrub 
traffic for an ISP network? I have an ASN and BGP and my own netblocks, 
and I have a 1gbps pipe. I was thinking the scenario would be during 
attack, we could bring up a tunnel and run bgp over it and advertise 
some portion of our ip space thru it. I realise getting it setup while 
attack is taking place would be a little hard and that we likely could 
expect at least some down time. What we have seen so far has been 
reflection attacks (dns and ssdp) and we have been able to do rate 
limiting on these and other protocols to sane values. This has worked 
well, although the primary risk is once the traffic flow exceeds the 
link capacity such limiting won't have any net effect. But if we could 
farm this out during times of trouble to a mitigation services provider, 
they could advertise our block(s) and rate limit and scrub for us and 
send us the result, it would be a far better than what we have now 
(which is effectively nothing). I asked cloudflare this and they stated 
they are focused on web traffic. My upstream can't help me, doesn't 
support RTBH and won't install filters anyways unless it's impacting 
THEIR network. Just wondering if anyone has any other ideas (short of 
ditching my provider, which I also can't do due at this time due to lack 
of competitive choice).


More information about the NANOG mailing list