Baldur, Modifying the routing table with a next-hop change from a community, is different than having a line card filtering packets at layer 4, of course most if not all carriers will support it. Instead of doing normal TCAM route lookups, you’re getting into packet inspection territory, which is something completely different.
Just quickly reading the ASR 9K documentation, it can only support 3K rules per system. Juniper – 8K, Alcatel-Lucent – 512. That’s pretty low considering I can put many /32s into a routing table very easily and without hassle. As I said before, no ISP is going to offer such filtering services for free when DDoS mitigation is a cash cow. Ryan Hamel From: NANOG <nanog-boun...@nanog.org> On Behalf Of Baldur Norddahl Sent: Sunday, September 02, 2018 1:42 AM To: nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data This is not true. Some of our transits do RTBH for free. For example Cogent. They will not do FlowSpec. Maybe their equipment can not do it or for some other reason. However RTBH is a simple routing hack that can be implemented on any router. The traffic is dropped right at the edge and is never transported on the transit provider network. In that sense it also protects the transit network. RTBH only for UDP would also be a very simple hack on many routers. It might not be FlowSpec, but it may have most of the benefit, in a much simplified way. Regards Baldur søn. 2. sep. 2018 02.39 skrev Ryan Hamel <ryan.ha...@quadranet.com<mailto:ryan.ha...@quadranet.com>>: No ISP is in the business of filtering traffic unless the client pays the hefty fee since someone still has to tank the attack. I also don’t think there is destination prefix IP filtering in flowspec, which could seriously cause problems. From: NANOG <nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>> On Behalf Of Baldur Norddahl Sent: Saturday, September 01, 2018 5:18 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: automatic rtbh trigger using flow data fre. 31. aug. 2018 17.16 skrev Hugo Slabbert <h...@slabnet.com<mailto:h...@slabnet.com>>: I would love an upstream that accepts flowspec routes to get granular about drops and to basically push "stateless ACLs" upstream. _keeps dreaming_ We just need a signal to drop UDP for a prefix. The same as RTBH but only for UDP. This would prevent all volumetric attacks without the end user being cut off completely. Besides from some games, VPN and VoIP, they would have an almost completely normal internet experience. DNS would go through the ISP servers and only be affected if the user is using a third party service. Regards Baldur
