I would redirect the packet to a VRF with one global drop UDP ACL. That scales perfectly. There is probably many ways to implement such a feature.
søn. 2. sep. 2018 11.07 skrev Ryan Hamel <ryan.ha...@quadranet.com>: > Baldur, > > > > Modifying the routing table with a next-hop change from a community, is > different than having a line card filtering packets at layer 4, of course > most if not all carriers will support it. Instead of doing normal TCAM > route lookups, you’re getting into packet inspection territory, which is > something completely different. > > > > Just quickly reading the ASR 9K documentation, it can only support 3K > rules per system. Juniper – 8K, Alcatel-Lucent – 512. That’s pretty low > considering I can put many /32s into a routing table very easily and > without hassle. > > > > As I said before, no ISP is going to offer such filtering services for > free when DDoS mitigation is a cash cow. > > > > Ryan Hamel > > > > *From:* NANOG <nanog-boun...@nanog.org> *On Behalf Of *Baldur Norddahl > *Sent:* Sunday, September 02, 2018 1:42 AM > *To:* nanog@nanog.org > *Subject:* Re: automatic rtbh trigger using flow data > > > > This is not true. Some of our transits do RTBH for free. For example > Cogent. > > > > They will not do FlowSpec. Maybe their equipment can not do it or for some > other reason. > > > > However RTBH is a simple routing hack that can be implemented on any > router. The traffic is dropped right at the edge and is never transported > on the transit provider network. In that sense it also protects the transit > network. > > > > RTBH only for UDP would also be a very simple hack on many routers. > > > > It might not be FlowSpec, but it may have most of the benefit, in a much > simplified way. > > > > Regards > > > > Baldur > > > > > > søn. 2. sep. 2018 02.39 skrev Ryan Hamel <ryan.ha...@quadranet.com>: > > No ISP is in the business of filtering traffic unless the client pays the > hefty fee since someone still has to tank the attack. > > > > I also don’t think there is destination prefix IP filtering in flowspec, > which could seriously cause problems. > > > > *From:* NANOG <nanog-boun...@nanog.org> *On Behalf Of *Baldur Norddahl > *Sent:* Saturday, September 01, 2018 5:18 PM > *To:* nanog@nanog.org > *Subject:* Re: automatic rtbh trigger using flow data > > > > > > fre. 31. aug. 2018 17.16 skrev Hugo Slabbert <h...@slabnet.com>: > > > > I would love an upstream that accepts flowspec routes to get granular > about > drops and to basically push "stateless ACLs" upstream. > > _keeps dreaming_ > > > > > > We just need a signal to drop UDP for a prefix. The same as RTBH but only > for UDP. This would prevent all volumetric attacks without the end user > being cut off completely. > > > > Besides from some games, VPN and VoIP, they would have an almost > completely normal internet experience. DNS would go through the ISP servers > and only be affected if the user is using a third party service. > > > > Regards > > > > Baldur > > > >