<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Yep...<br>But I remember the first concept of security:<br>There is no real security on a single layer.<br><br>So, considering That, FlowSpec should never be accepted directly by the FlowSpec-Enforcer-Box.<br>It should be announced to another box, running other software than that one on the Perimeter, and filtering and refiltering should be done on both layers.</div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qua., 3 de fev. de 2021 às 02:43, Hank Nussbacher <<a href="mailto:hank@interall.co.il">hank@interall.co.il</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="direction:ltr">
<div>On 02/02/2021 19:08, Douglas Fischer
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default">Well... That is a point
of view!<br>
And I must respect that.<br>
<br>
Against this position, there are several companies, including
some tier 1, that sells this as an $extra$.<br>
<br>
About the "Please break me at my earliest inconvenience."
part:<br>
I believe that the same type of prefix filtering that
applies to Downstream-BGP-Routes applies to RTBH and Flowspec.<br>
So, exactly as in common BGP Route-Filtering:<br>
- If the network operator does it correctly, it should work
correctly.<br>
- If the network operator deals with that without the needed
skills, expertise, attention+devotion, wrong things will come
up.<br>
</div>
</div>
</blockquote>
<p>You forgot to mention software bugs:</p>
<p><a href="https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST" target="_blank">https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11101&cat=SIRT_1&actp=LIST</a></p>
<p><br>
</p>
<p>Note what Juniper states:</p>
<p><i>Workaround:</i><i><br>
</i><i>There are no viable workarounds for this issue</i><br>
</p>
<p><br>
</p>
<p>-Hank<br>
</p>
<p style="direction:rtl"><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"><br>
<br>
But, this still does not helps to find a solution do an
organization A that sends some flowspec our RTBH to
organization B(presuming organization B will accept that),
and organization B do some reports of what is match with that
flowspec or RTBH.<br>
<br>
That, in my opinion, is the only way to stop guessing how long
will an attack will last, and start to define the end of a
flowspec/RTBH action based on real information related to
that.<br>
I want to close the feedback loop.<br>
</div>
<div class="gmail_default" style="font-family:"courier new",monospace;font-size:small"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em ter., 2 de fev. de 2021 às
13:07, Tom Beecher <a href="mailto:beecher@beecher.cc" target="_blank"><beecher@beecher.cc></a> escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Personally, I would absolutely, positively,
never ever under any circumstances provide access to a 3rd
party company to push a FlowSpec rule or trigger RTBH on my
networks. No way. You would be handing over a nuclear
trigger and saying "Please break me at my earliest
inconvenience." </div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Feb 2, 2021 at
5:56 AM Douglas Fischer <<a href="mailto:fischerdouglas@gmail.com" target="_blank">fischerdouglas@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_default">OK, but do you
know any company the sells de Flowspec as a service,
in the way that the Attack Identifications are not
made by their equipment, just receiving de
BGP-FlowSpec and applying that rules on that
equipments... And even then give back to the customer
some way to access those statistics?<br>
<br>
I just know one or two that do that, and(sadly) they
do it on fancy web reports or PDFs.<br>
Without any chance of using that as structured data do
feedback the anomaly detection tools to determine if
already it is the time to remove that Flowsperc rule.<br>
<br>
What I'm looking for is something like:<br>
A) XML/JSON/CSV files streamed to my equipment from
the Flowspec Upstream Equipments saying "Heepend that,
that, and that." Almost in real time.<br>
B) NetFlow/IPFIX/SFlow streamed to my equipment from
the Upstream Equipment, restricted to the
DST-Address that matches to the IP blocks that were
involved to the Flowspec or RTBH that I Annouced to
then.<br>
C) Any other idea that does the job of gives me the
visibility of what is happening with FlowSpec-rules,
or RTBH on theyr network.<br>
<br>
</div>
<div class="gmail_default"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em seg., 1 de fev. de
2021 às 22:07, Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Feb 2, 2021, at 00:34,
Douglas Fischer <<a href="mailto:fischerdouglas@gmail.com" target="_blank">fischerdouglas@gmail.com</a>>
wrote:<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
<div class="gmail_default">
Or even know if already there is a solution
to that and I'm trying to invent the wheel.</div>
<div dir="ltr">
<div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<div>
<div>Many flow telemetry export implementations on
routers/layer3 switches report both passed &
dropped traffic on a continuous basis for DDoS
detection/classification/traceback. </div>
<br style="color:rgb(0,0,0)">
</div>
<div>It's also possible to combine the
detection/classification/traceback & flowspec
trigger functions. </div>
<div><br>
</div>
<div>[Full disclosure: I work for a vendor of such
systems.]</div>
<div><br>
</div>
<div>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)"><span style="font-size:17.41pt">--------------------------------------------</span></p>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)"><span style="font-size:17.41pt">Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><font size="2"><span>Douglas Fernando Fischer</span><br>
<span>Engº de Controle e Automação</span></font></div>
</blockquote>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><font size="2"><span style="font-family:"courier new",monospace">Douglas
Fernando Fischer</span><br>
<span style="font-family:"courier new",monospace">Engº
de Controle e Automação</span></font></div>
</blockquote>
<p><br>
</p>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><font size="2"><span style="font-family:"courier new",monospace">Douglas Fernando Fischer</span><br style="font-family:"courier new",monospace"><span style="font-family:"courier new",monospace">Engº de Controle e Automação</span></font><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:"courier new",monospace"></div></div>