<html style="direction: ltr;">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style id="bidiui-paragraph-margins" type="text/css">body p { margin-bottom: 0cm; margin-top: 0pt; } </style>
</head>
<body bidimailui-charset-is-forced="true" style="direction: ltr;">
<div class="moz-cite-prefix">On 02/02/2021 19:08, Douglas Fischer
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKEr4RR0uSm9N6U3YX_crdZUnE=DM0CcodRYi9TARyiyH+Tcgw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_default" style="font-family:"courier
new",monospace;font-size:small">Well... That is a point
of view!<br>
And I must respect that.<br>
<br>
Against this position, there are several companies, including
some tier 1, that sells this as an $extra$.<br>
<br>
About the "Please break me at my earliest inconvenience."
part:<br>
I believe that the same type of prefix filtering that
applies to Downstream-BGP-Routes applies to RTBH and Flowspec.<br>
So, exactly as in common BGP Route-Filtering:<br>
- If the network operator does it correctly, it should work
correctly.<br>
- If the network operator deals with that without the needed
skills, expertise, attention+devotion, wrong things will come
up.<br>
</div>
</div>
</blockquote>
<p>You forgot to mention software bugs:</p>
<p><a class="moz-txt-link-freetext" href="https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST">https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST</a></p>
<p><br>
</p>
<p>Note what Juniper states:</p>
<p><i>Workaround:</i><i><br>
</i><i>There are no viable workarounds for this issue</i><br>
</p>
<p><br>
</p>
<p>-Hank<br>
</p>
<p style="direction: rtl;"><br>
</p>
<blockquote type="cite"
cite="mid:CAKEr4RR0uSm9N6U3YX_crdZUnE=DM0CcodRYi9TARyiyH+Tcgw@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default" style="font-family:"courier
new",monospace;font-size:small"><br>
<br>
But, this still does not helps to find a solution do an
organization A that sends some flowspec our RTBH to
organization B(presuming organization B will accept that),
and organization B do some reports of what is match with that
flowspec or RTBH.<br>
<br>
That, in my opinion, is the only way to stop guessing how long
will an attack will last, and start to define the end of a
flowspec/RTBH action based on real information related to
that.<br>
I want to close the feedback loop.<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;font-size:small"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em ter., 2 de fev. de 2021 às
13:07, Tom Beecher <a class="moz-txt-link-rfc2396E" href="mailto:beecher@beecher.cc"><beecher@beecher.cc></a> escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Personally, I would absolutely, positively,
never ever under any circumstances provide access to a 3rd
party company to push a FlowSpec rule or trigger RTBH on my
networks. No way. You would be handing over a nuclear
trigger and saying "Please break me at my earliest
inconvenience." </div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Feb 2, 2021 at
5:56 AM Douglas Fischer <<a
href="mailto:fischerdouglas@gmail.com" target="_blank"
moz-do-not-send="true">fischerdouglas@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:"courier
new",monospace;font-size:small">OK, but do you
know any company the sells de Flowspec as a service,
in the way that the Attack Identifications are not
made by their equipment, just receiving de
BGP-FlowSpec and applying that rules on that
equipments... And even then give back to the customer
some way to access those statistics?<br>
<br>
I just know one or two that do that, and(sadly) they
do it on fancy web reports or PDFs.<br>
Without any chance of using that as structured data do
feedback the anomaly detection tools to determine if
already it is the time to remove that Flowsperc rule.<br>
<br>
What I'm looking for is something like:<br>
A) XML/JSON/CSV files streamed to my equipment from
the Flowspec Upstream Equipments saying "Heepend that,
that, and that." Almost in real time.<br>
B) NetFlow/IPFIX/SFlow streamed to my equipment from
the Upstream Equipment, restricted to the
DST-Address that matches to the IP blocks that were
involved to the Flowspec or RTBH that I Annouced to
then.<br>
C) Any other idea that does the job of gives me the
visibility of what is happening with FlowSpec-rules,
or RTBH on theyr network.<br>
<br>
</div>
<div class="gmail_default"
style="font-family:"courier
new",monospace;font-size:small"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em seg., 1 de fev. de
2021 às 22:07, Dobbins, Roland <<a
href="mailto:Roland.Dobbins@netscout.com"
target="_blank" moz-do-not-send="true">Roland.Dobbins@netscout.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Feb 2, 2021, at 00:34,
Douglas Fischer <<a
href="mailto:fischerdouglas@gmail.com"
target="_blank" moz-do-not-send="true">fischerdouglas@gmail.com</a>>
wrote:<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
<div class="gmail_default"
style="font-family:"courier
new",monospace;font-size:small">
Or even know if already there is a solution
to that and I'm trying to invent the wheel.</div>
<div dir="ltr">
<div
style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:"courier
new",monospace">
</div>
</div>
</div>
</div>
</blockquote>
<br>
<div>
<div>Many flow telemetry export implementations on
routers/layer3 switches report both passed &
dropped traffic on a continuous basis for DDoS
detection/classification/traceback. </div>
<br style="color:rgb(0,0,0)">
</div>
<div>It's also possible to combine the
detection/classification/traceback & flowspec
trigger functions. </div>
<div><br>
</div>
<div>[Full disclosure: I work for a vendor of such
systems.]</div>
<div><br>
</div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)"><span
style="font-size:17.41pt">--------------------------------------------</span></p>
<p
style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)"><span
style="font-size:17.41pt">Roland Dobbins <<a
href="mailto:roland.dobbins@netscout.com"
target="_blank" moz-do-not-send="true">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><font size="2"><span
style="font-family:"courier
new",monospace">Douglas Fernando Fischer</span><br
style="font-family:"courier
new",monospace">
<span style="font-family:"courier
new",monospace">Engº de Controle e Automação</span></font></div>
</blockquote>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"><font size="2"><span
style="font-family:"courier new",monospace">Douglas
Fernando Fischer</span><br style="font-family:"courier
new",monospace">
<span style="font-family:"courier new",monospace">Engº
de Controle e Automação</span></font></div>
</blockquote>
<p><br>
</p>
</body>
</html>