BGP FlowSpec

Roland Dobbins rdobbins at arbor.net
Tue May 3 00:03:28 UTC 2016


On 3 May 2016, at 5:38, Martin Bacher wrote:

> Let the packets come is not the message.

That was *precisely* the message which was spoken to me directly by a 
large regional CONUS ISP in mid-2003 or thereabouts.  I know this; I was 
there.

And it was the wrong message, as that particular ISP found out a couple 
of weeks later when their network was knocked flat and they lost 
customers because of it.  A bit of schadenfreude might not have been out 
of place, for the less-charitably inclined.

> or remark and/or rate-limit the particular flows with nearly, of 
> course not for the customer under attack, the same result.

This is almost always a Bad Idea, because the programmatically-generated 
attack traffic ends up 'crowding out' the legitimate traffic.  For some 
attacks which are obviously out-of-profile with regards to the attack 
targets, this isn't as much of a concern; some large network operators 
are doing this with regards to common UDP reflection/amplification 
traffic (but they're being careful about it).

And that still doesn't address the issue of high-volume traffic choking 
peering/transit links, of course.

> But that does not imply that all upstream ISPs are filtering out 
> attacks by default for customers which are not paying for that.

Nobody here has said that.  But some beneficiary collateral effects of 
this nature do show up, from time to time.

> This is at least my interpretation from reading the various available 
> DDoS reports and research papers.

You should probably be aware that you are likely conversing directly 
with the authors of/contributors to some of those very reports and 
research papers in this thread (depending on which reports and papers 
you mean), and that the people with whom you are interacting routinely 
mitigate DDoS attacks on the public Internet as part of their normal 
work routine - and have done so for many years.

For many of us, this is not a theoretical discussion; and it would 
probably be a good idea to keep in mind that our contributions to this 
thread aren't based upon reading various reports and research papers, 
but rather upon our actions which generate the data and experiential 
observations upon which such reports and research papers are based.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the NANOG mailing list