automatic rtbh trigger using flow data

Roland Dobbins rdobbins at arbor.net
Thu Aug 30 23:59:29 UTC 2018


On 31 Aug 2018, at 6:47, Aaron Gould wrote:

> I'm really surprised that you all are doing this based on source ip, 
> simply because I thought the distribution of botnet members around the 
> world we're so extensive that I never really thought it possible to 
> filter based on sources, i

Using S/RTBH to drop attack sources has been a valid and useful 
mitigation tactic for close to 20 years.  Any kind of modern router 
scales up to large numbers of sources; and note that S/RTBH isn't 
limited to /32s.

It's discussed in this .pdf preso:

<https://app.box.com/s/xznjloitly2apixr5xge>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the NANOG mailing list