DDoS Mitigation Survey

• Previous message (by thread): DDoS Mitigation Survey
• Next message (by thread): DDoS Mitigation Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14 Jan 2020, at 1:56, Lumin Shi wrote:

> We believe that many routers on the Internet
> today may not have the necessary capacity to perform fine-grained 
> traffic
> filtering, especially when facing a large-scale DDoS attack with or 
> without
> IP spoofing.

There are literally decades of information on these topics available 
publicly.  Router and switch ACLs (both static and dynamically-updated 
via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems 
(IDMSes; full disclosure, I work for a a vendor of such systems), et. 
al. are all used to mitigate DDoS attacks.

Your comments about routers not having the 'capacity' (I think you mean 
capability) to filter traffic due to a lack of granularity are 
demonstrably inaccurate.  While it's always useful to be able to parse 
into packets as deeply as practicable in hardware, layer-4 granularity 
has been and continues to be useful in mitigating DDoS attacks on an 
ongoing basis.  Whether or not the traffic in question is spoofed is 
irrelevant, in this particular context.

Here are some .pdf presentations on the general topic of DDoS 
mitigation:

<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>

There are lots of write-ups and videos of presentations given at 
conferences like NANOG which address these issues; they can easily be 
located via the use of search engines.

--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>

• Previous message (by thread): DDoS Mitigation Survey
• Next message (by thread): DDoS Mitigation Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]