A less common action is to use flowspec (if you have some Juniper gear) to drop only the attack and hopefully not any legitimate traffic. What is really missing atm is a way to filter flowspec announcements (limit the number and make sure they are for routes the peer is announcing). Until this is sorted I believe flowspec will be a marginal solution.
Thomas PLUG: http://code.google.com/p/exabgp/ On 8 Dec 2010, at 13:46, alvaro.sanc...@adinet.com.uy wrote: > A very common action is to blackhole ddos traffic upstream by sending a > bgp route to the next AS with a preestablished community indicating the > traffic must be sent to Null0. The route may be very specific, in order > to impact as less as possible. This needs previous coordination between > providers. > Regards. > >> ----Mensaje original---- >> De: rdobb...@arbor.net >> Fecha: 08/12/2010 10:53 >> Para: "North American Operators' Group"<nanog@nanog.org> >> Asunto: Re: Over a decade of DDOS--any progress yet? >> >> >> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >> >>> One big problem (IMHO) of DDoS is that sources (the host of > botnets) may be completely unaware that they are part of a DDoS. I do > not mean the bot machine, I mean the ISP connecting those. >> >> The technology exists to detect and classify this attack traffic, and > is deployed in production networks today. >> >> And of course, the legitimate owners of the botted hosts are > generally unaware that their machine is being used for nefarious > purposes. >> >>> In the other hand the target of a DDoS cannot do anything to stop > to attack besides adding more BW or contacting one by one the whole > path of providers to try to minimize the effect. >> >> Actually, there're lots of things they can do. >> >>> I know that this has many security concerns, but would it be good > a signalling protocol between ISPs to inform the sources of a DDoS > attack in order to take semiautomatic actions to rate-limit the traffic > as close as the source? Of course that this is more complex that these > three or two lines, but I wonder if this has been considerer in the > past. >> >> It already exists. >> >> ----------------------------------------------------------------------- >> Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> >> >> Sell your computer and buy a guitar. >> >> >> >> >> >> > > >