DDoS Mitigation Survey
Dobbins, Roland
Roland.Dobbins at netscout.com
Tue Jan 14 22:31:02 UTC 2020
On 14 Jan 2020, at 1:56, Lumin Shi wrote:
> We believe that many routers on the Internet
> today may not have the necessary capacity to perform fine-grained
> traffic
> filtering, especially when facing a large-scale DDoS attack with or
> without
> IP spoofing.
There are literally decades of information on these topics available
publicly. Router and switch ACLs (both static and dynamically-updated
via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems
(IDMSes; full disclosure, I work for a a vendor of such systems), et.
al. are all used to mitigate DDoS attacks.
Your comments about routers not having the 'capacity' (I think you mean
capability) to filter traffic due to a lack of granularity are
demonstrably inaccurate. While it's always useful to be able to parse
into packets as deeply as practicable in hardware, layer-4 granularity
has been and continues to be useful in mitigating DDoS attacks on an
ongoing basis. Whether or not the traffic in question is spoofed is
irrelevant, in this particular context.
Here are some .pdf presentations on the general topic of DDoS
mitigation:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
There are lots of write-ups and videos of presentations given at
conferences like NANOG which address these issues; they can easily be
located via the use of search engines.
--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>
More information about the NANOG
mailing list