Right. Some providers allow you to BGP community trigger RTBH. There was a separate mention of D/DoS-mitigation-providers using DNS and BGP tunneling.
Rick On Mon, Jan 11, 2010 at 8:14 AM, Stefan Fouant < sfou...@shortestpathfirst.net> wrote: > > -----Original Message----- > > From: Rick Ernst [mailto:na...@shreddedmail.com] > > Sent: Monday, January 11, 2010 10:39 AM > > To: NANOG > > Subject: Re: D/DoS mitigation hardware/software needed. > > > > As a service-provider/data-center, it seems like outsourcing would be > > either > > ineffective and/or removes the "big red button" in case of trouble. > > > > Am I missing something, overly paranoid, or are there other mechanisms > > for > > outsourced protection? > > In fact, quite the opposite. Those providers who do offer DDoS mitigation > services usually allow the customer to trigger the redirect in a manner > similar to RTBHs by substituting the blackhole community for some type of > mitigation community. This causes the Provider's edge router (or Route > Server) to advertise the affected route within the Service Provider's > network with a next-hop of the scrubbers. > > There are some providers who do auto-mitigation on behalf of the customer, > but IMO this approach is asking for trouble. > > Stefan Fouant, CISSP, JNCIE-M/T > www.shortestpathfirst.net > GPG Key ID: 0xB5E3803D > >