ti14m028 at technikum-wien.at
Thu Apr 28 06:34:49 UTC 2016
> Am 27.04.2016 um 18:09 schrieb Hank Nussbacher <hank at efes.iucc.ac.il>:
> On 27/04/2016 18:58, John Kristoff wrote:
>> On Thu, 21 Apr 2016 09:46:13 +0200
>> Martin Bacher <ti14m028 at technikum-wien.at> wrote:
>>> - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
>>> of attacks are you using it? Are you only dropping or rate-limiting
>>> certain traffic or are you also using the redirect/remark
>>> capabilities? What are the limitations from your perspective? Are you
>>> facing any operational issues? How are you injecting the FlowSpec
>> Unless you received a number of private responses, perhaps the lack of
>> public responses is telling.
> Geant runs a Firewall of Demand based on BGP Flowspec (Juniper
> routers). You can read more about it here:
Thank you Hank. That’s a pretty nice intra AS implementation with a nice interface for customers.
>> I've heard of a few networks doing this and there is some public record
>> of it being used, including one instance where a bad rule was behind a
>> serious outage:
>>> - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
>>> your experience? Are there any concerns regarding Inter-AS
>>> deployments? Has anyone done interop tests?
>> You might mine public, archived BGP data and see if there are any
>> traffic filtering rules present (they are encoded in extended
>> communities, which are optional, transitive).
>> We once tried to coordinate an Inter-AS flow-spec project, but it
>> failed miserably due to lack of interest. For posterity, here is the
>> project page:
>> Literally the only people who were interested in it at the time was one
>> of the spec's co-authors. :-)
>> Since then, we have tried a more modest approach using the well known
>> BGP RTBH technique:
>> This has been much more successful and since we've started we've
>> probably had about a dozen networks express interest in flow-spec
>> rules. Verification of rules is potentially tricky, but
>> widespread interest still lags in my estimation.
>>> - How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
>>> and which applications are you using for the analysis (Peakflow,
>>> Open-Source tools, ..?)
>> Not speaking for anyone in particular, but don't forget about user
>> complaints. In some cases a network may not notice (or care) if an
>> attack is below a certain threshold for their network, but above a
>> stress point downstream.
More information about the NANOG