Yes most of the time anything over 1-2gbps of clean traffic should not use the GRE tunnel and insisted would use some other form of connection like dark fiber, cross connect or wave. By not using the GRE tunnel you also dont have the problems with IPSEC tunnel or other mtu problems.
On Thu, Jan 21, 2021 at 10:26 AM Mike Hammett <af...@ics-il.net> wrote: > Would the tunnel problems be solved if you peered with them in a > datacenter? > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Zach Underwood" <zunder1...@gmail.com> > *To: *"AnimalFarm Microwave Users Group" <af@af.afmug.com> > *Sent: *Wednesday, January 20, 2021 8:23:43 PM > *Subject: *Re: [AFMUG] DDOS on cgnat > > Remote ddos protection has a few points. The below applies to ddos > protection that can not normally be in the traffic flow. > 1. It can break ipsec tunnels that where setup prior to the mitigation. We > stay this alot at arbor, it is do to when the ipsec tunnel comes up the mtu > becomes fixed. When you swing the traffic into mitigation the new mtu end > to end is now smaller then when the tunnel came up. We would tell client to > hard set a smaller mtu like 14xx something in the ipsec so the tunnels > would stay up during the mitigation. Otherwise the tunnel would have to be > bounced to come back up. > 2. To bring the clean traffic back into the network the most common is gre > tunnels but this is really limited to 1-2 gbps on most platforms > 3. The good remote ddos protection is very expensive > 4. You will need a min of a /24 that you have permission to allow another > AS to announce the prefix > 5. Most service base pricing on gbps of clean traffic coming off the > backend. > > On Wed, Jan 20, 2021, 8:50 PM Dev <d...@logicalwebhost.com> wrote: > >> If you do BGP you can send it to a black hole, otherwise if the link is >> truly saturated and unusable, you’ll probably be talking upstream to >> someone who can help. Later you can buy proxy scrubbing services or get an >> Arbor box, but that probably doesn’t help you now. >> >> > On Jan 20, 2021, at 3:55 PM, Matt Hoppes < >> mattli...@rivervalleyinternet.net> wrote: >> > >> > Any ideas how to mitigate DDOS attacks when you’re on CGNAT with maybe >> 100 people behind one IP concentrator? >> > -- >> > AF mailing list >> > AF@af.afmug.com >> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- Zach Underwood (RHCE,RHCSA,RHCT,UACA) My website <http://zachunderwood.me> advance-networking.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
