rdobbins at arbor.net
Tue May 3 00:03:28 UTC 2016
On 3 May 2016, at 5:38, Martin Bacher wrote:
> Let the packets come is not the message.
That was *precisely* the message which was spoken to me directly by a
large regional CONUS ISP in mid-2003 or thereabouts. I know this; I was
And it was the wrong message, as that particular ISP found out a couple
of weeks later when their network was knocked flat and they lost
customers because of it. A bit of schadenfreude might not have been out
of place, for the less-charitably inclined.
> or remark and/or rate-limit the particular flows with nearly, of
> course not for the customer under attack, the same result.
This is almost always a Bad Idea, because the programmatically-generated
attack traffic ends up 'crowding out' the legitimate traffic. For some
attacks which are obviously out-of-profile with regards to the attack
targets, this isn't as much of a concern; some large network operators
are doing this with regards to common UDP reflection/amplification
traffic (but they're being careful about it).
And that still doesn't address the issue of high-volume traffic choking
peering/transit links, of course.
> But that does not imply that all upstream ISPs are filtering out
> attacks by default for customers which are not paying for that.
Nobody here has said that. But some beneficiary collateral effects of
this nature do show up, from time to time.
> This is at least my interpretation from reading the various available
> DDoS reports and research papers.
You should probably be aware that you are likely conversing directly
with the authors of/contributors to some of those very reports and
research papers in this thread (depending on which reports and papers
you mean), and that the people with whom you are interacting routinely
mitigate DDoS attacks on the public Internet as part of their normal
work routine - and have done so for many years.
For many of us, this is not a theoretical discussion; and it would
probably be a good idea to keep in mind that our contributions to this
thread aren't based upon reading various reports and research papers,
but rather upon our actions which generate the data and experiential
observations upon which such reports and research papers are based.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG