BGP FlowSpec

Martin Bacher ti14m028 at
Mon May 2 22:21:56 UTC 2016

> Am 02.05.2016 um 23:51 schrieb jim deleskie <deleskie at>:
> I was going to avoid this thread because I've never been a huge fan of
> Flowspec for my own reasons. However having work on /been responsible for
> several "Tier 1 and 2" networks and DDoS mitigation services over the last
> 20 years,  I can say I, nor any of my peers ( in any sense of that word)
> that I have known, have wanted to keep "bad " traffic on our networks so
> we can bill for it.  Designing and running a large network is hard enough
> with planed growth, without having to manage unplanned spikes on links that
> can be  orders of magnitude larger then traffic that "normally" flows
> across it.
I was for sure not precise enough in my statement and should have left out the money part. Sorry for that. An ISP would of course protect its own infrastructure and other customers if the attack is large enough and always tries to keep the general impact as low as possible. But auto mitigation is usually only provided for customers which are paying for it. BGP-FS offers an easy way for automatic deployment of traffic remarking of attack traffic in order to keep the overall impact for the own network and other customers at a very low level.

> On top of that any given DDoS attack seldom last long enough to materially
> impact 95%ile billing, so carriers don't make anything from it, but have to
> do all the work of moving it around.
> -jim
> On Mon, May 2, 2016 at 6:38 PM, Roland Dobbins <rdobbins at> wrote:
>> On 2 May 2016, at 20:16, Martin Bacher wrote:
>> However, Tier 1s and most probably also some of the Tier 2s may not want
>>> to offer it to customers because they are loosing money if less traffic is
>>> sent downstream on IP-Transit links.
>> I will go a step further than Danny's comments and state that this is
>> categorically and demonstrably untrue.
>> Many of the quite large 'Tier-1' and 'Tier-2' (using the old terminology)
>> operators on this list offer commercial DDoS mitigation services making use
>> of technologies like D/RTBH, S/RTBH, IDMS, et. al. due to customer demand.
>> They need these capabilities in order to defend their own properties and
>> assets, and they are also offering them to end-customers who want and need
>> them.
>> In point of fact, it's becoming difficult to find one which *doesn't*
>> offer this type of service.
>> There were a couple of situations in the first half of the first decade of
>> this millennium where operators took this attitude.  But they changed their
>> tunes pretty rapidly once they themselves were impacted, and once they
>> started losing customers because they couldn't and wouldn't protect them.
>> And as Danny notes, these technologies are all tools in the toolbox.  NFV
>> and 'SDN' have tremendous potential to make it a lot easier to bring
>> mitigation resources to bear in a dynamic and optimal fashion within single
>> spans of administrative control; and there are standards-based efforts
>> underway to provide for a higher degree of automation, increased rapidity
>> of response, and interoperability in both inter- and intra-network DDoS
>> mitigation scenarios.
>> -----------------------------------
>> Roland Dobbins <rdobbins at>

More information about the NANOG mailing list