<div dir="ltr"><div>Hi Roland,</div><div><br></div><div>Thank you for your comments and resources. I think you may have misunderstood our email (we could've made our email more clear -- apologies).</div><div><br></div><div>The following is our explanation if we interpreted your email correctly.<br></div><div><br></div><div>What we meant by "may not have necessary capacity" is that routers do not have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules against large-scale DDoS attacks without 1) incurring major collateral damage (e.g., deploy /16 source-based rules instead of /32 so that more DDoS traffic can be filtered while using less CAM/TCAM space), or 2) performance penalties that are introduced by deploying more filters than a router's data plane can support (i.e., data plane to control plane I/O limitation).</div><div><br></div><div>We believe DDoS mitigation based on layer 3 and/or 4 information can be fine-grain. As a matter of fact, when we referred to fine-grained traffic filtering in our original email, we meant DDoS mitigation based on layer 3 and 4 information.</div><div><br></div><div>I hope this addresses your concerns.<br></div><div><br></div><div>Best,</div><div>Lumin<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 14, 2020 at 2:31 PM Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 14 Jan 2020, at 1:56, Lumin Shi wrote:<br>
<br>
> We believe that many routers on the Internet<br>
> today may not have the necessary capacity to perform fine-grained <br>
> traffic<br>
> filtering, especially when facing a large-scale DDoS attack with or <br>
> without<br>
> IP spoofing.<br>
<br>
There are literally decades of information on these topics available <br>
publicly. Router and switch ACLs (both static and dynamically-updated <br>
via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems <br>
(IDMSes; full disclosure, I work for a a vendor of such systems), et. <br>
al. are all used to mitigate DDoS attacks.<br>
<br>
Your comments about routers not having the 'capacity' (I think you mean <br>
capability) to filter traffic due to a lack of granularity are <br>
demonstrably inaccurate. While it's always useful to be able to parse <br>
into packets as deeply as practicable in hardware, layer-4 granularity <br>
has been and continues to be useful in mitigating DDoS attacks on an <br>
ongoing basis. Whether or not the traffic in question is spoofed is <br>
irrelevant, in this particular context.<br>
<br>
Here are some .pdf presentations on the general topic of DDoS <br>
mitigation:<br>
<br>
<<a href="https://app.box.com/s/4h2l6f4m8is6jnwk28cg" rel="noreferrer" target="_blank">https://app.box.com/s/4h2l6f4m8is6jnwk28cg</a>><br>
<br>
There are lots of write-ups and videos of presentations given at <br>
conferences like NANOG which address these issues; they can easily be <br>
located via the use of search engines.<br>
<br>
--------------------------------------------<br>
Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>><br>
<br>
</blockquote></div>