Best way to get foreign ISPs to shut down DDoS reflectors?
William Herrin
bill at herrin.us
Thu Apr 23 22:16:27 UTC 2020
On Thu, Apr 23, 2020 at 2:38 PM Shawn L via NANOG <nanog at nanog.org> wrote:
> This brings up an interesting question -- what is "good DDoS protection" on an ISP scale? Apart from having enough bandwidth to weather the attack and having upstream providers attempt to filter it for you/
Hi Shawn,
I believe the normal mechanism is that you use BGP to sink the
impacted /24s at many high-bandwidth exchange points worldwide,
filter, and pass the traffic which the filter accepts back to your
core infrastructure via a tunnel (VPN).
Build or buy.
If it's practical to sink the bandwidth near the DDOS target, I
wouldn't think it was much of a DDOS.
A question which interests me: How many attacks do folks find landing
in the middle-ground between "annoying but readily handled" and "far
beyond my ability?"
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the NANOG
mailing list