BGP FlowSpec

Martin Bacher ti14m028 at technikum-wien.at
Mon May 2 22:13:19 UTC 2016


> Am 02.05.2016 um 23:38 schrieb Roland Dobbins <rdobbins at arbor.net>:
> 
> On 2 May 2016, at 20:16, Martin Bacher wrote:
> 
>> However, Tier 1s and most probably also some of the Tier 2s may not want to offer it to customers because they are loosing money if less traffic is sent downstream on IP-Transit links.
> 
> I will go a step further than Danny's comments and state that this is categorically and demonstrably untrue.
> 
> Many of the quite large 'Tier-1' and 'Tier-2' (using the old terminology) operators on this list offer commercial DDoS mitigation services making use of technologies like D/RTBH, S/RTBH, IDMS, et. al. due to customer demand.  They need these capabilities in order to defend their own properties and assets, and they are also offering them to end-customers who want and need them.
> 
> In point of fact, it's becoming difficult to find one which *doesn't* offer this type of service.
It was not meant to be a general statement that they are not offering anti DDoS services in whatever flavor. But you usually just get what you pay for. Furthermore, my statement was related to inter-AS BGP-FS and that providers may not offer it to customers but use in instead for traffic remarking to something like worse than best effort and still forwarding it to a customer under attack if he is not paying extra fees for DDoS mitigation. That does not mean that the ISP does not help on request or deploys countermeasures if its own infrastructure or other customers are suffering from that attack. But he may not perform any mitigation (except for the own protection) by default. 


> 
> There were a couple of situations in the first half of the first decade of this millennium where operators took this attitude.  But they changed their tunes pretty rapidly once they themselves were impacted, and once they started losing customers because they couldn't and wouldn't protect them.
> 
> And as Danny notes, these technologies are all tools in the toolbox.  NFV and 'SDN' have tremendous potential to make it a lot easier to bring mitigation resources to bear in a dynamic and optimal fashion within single spans of administrative control; and there are standards-based efforts underway to provide for a higher degree of automation, increased rapidity of response, and interoperability in both inter- and intra-network DDoS mitigation scenarios.
Sounds nice. Looking forward to see that implemented on a large scale in inter-AS setups. But I am not sure if this will really happen. 

> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list