Baldur,

Modifying the routing table with a next-hop change from a community, is 
different than having a line card filtering packets at layer 4, of course most 
if not all carriers will support it. Instead of doing normal TCAM route 
lookups, you’re getting into packet inspection territory, which is something 
completely different.

Just quickly reading the ASR 9K documentation, it can only support 3K rules per 
system. Juniper – 8K, Alcatel-Lucent – 512. That’s pretty low considering I can 
put many /32s into a routing table very easily and without hassle.

As I said before, no ISP is going to offer such filtering services for free 
when DDoS mitigation is a cash cow.

Ryan Hamel

From: NANOG <nanog-boun...@nanog.org> On Behalf Of Baldur Norddahl
Sent: Sunday, September 02, 2018 1:42 AM
To: nanog@nanog.org
Subject: Re: automatic rtbh trigger using flow data

This is not true. Some of our transits do RTBH for free. For example Cogent.

They will not do FlowSpec. Maybe their equipment can not do it or for some 
other reason.

However RTBH is a simple routing hack that can be implemented on any router. 
The traffic is dropped right at the edge and is never transported on the 
transit provider network. In that sense it also protects the transit network.

RTBH only for UDP would also be a very simple hack on many routers.

It might not be FlowSpec, but it may have most of the benefit, in a much 
simplified way.

Regards

Baldur


søn. 2. sep. 2018 02.39 skrev Ryan Hamel 
<ryan.ha...@quadranet.com<mailto:ryan.ha...@quadranet.com>>:
No ISP is in the business of filtering traffic unless the client pays the hefty 
fee since someone still has to tank the attack.

I also don’t think there is destination prefix IP filtering in flowspec, which 
could seriously cause problems.

From: NANOG <nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>> On Behalf 
Of Baldur Norddahl
Sent: Saturday, September 01, 2018 5:18 PM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: automatic rtbh trigger using flow data


fre. 31. aug. 2018 17.16 skrev Hugo Slabbert 
<h...@slabnet.com<mailto:h...@slabnet.com>>:


I would love an upstream that accepts flowspec routes to get granular about
drops and to basically push "stateless ACLs" upstream.

_keeps dreaming_


We just need a signal to drop UDP for a prefix. The same as RTBH but only for 
UDP. This would prevent all volumetric attacks without the end user being cut 
off completely.

Besides from some games, VPN and VoIP, they would have an almost completely 
normal internet experience. DNS would go through the ISP servers and only be 
affected if the user is using a third party service.

Regards

Baldur

Reply via email to