Re: Article: DoD, DoJ press FCC for industry-wide BGP security standard

Way overdue! In the last 4 weeks, I've had at least 20 diff conversations with FSI Network operators re: BGP hijacking, how to detect and in the future, mitigate with higher levels of success. Come on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure to implement dropping invalid r

DDoS Attacks targeting VPN/IPSEC endpoints

Any one else seeing this? Hearing some isolated events across different industry segments. If you are, can you provide any TTPs?

Arbor Reports 540Gbps "Sustained" Attack

https://www.arbornetworks.com/blog/asert/rio-olympics-take-gold-540gbsec-sustained-ddos-attacks/ I've used SP Peakflow before and I have my opinions. With all the intelligence out there about DDoS attacks, DDoS attackers, DDoS tools and techniques this article leaves me with ton's of questions. I

Re: NANOG Digest, Vol 90, Issue 1

To Ramy, Thank you for the acknowledgement. DDoS Mitigation service providers, regardless if its pure cloud, hybrid cloud, or CPE only, all face these challenges when it comes to DDoS Attacks. Can you restate your question again or rephrase it for the forum? Seems there is some confusion or maybe

Re: GRE performance over the Internet - DDoS cloud mitigation

when under load? > > > I typically protect the BGP session by policing all traffic being > delivered to the remote end except for BGP. Using this posture, my BGP > session over GRE are stable; even under attack. > > Kenneth > > On Jun 30, 2015, at 01:37 PM, Dennis B wrot

Re: GRE performance over the Internet - DDoS cloud mitigation

which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud. Good topic, already some back-chatter personal opinions from Nanog lurkers! Regards, Dennis B. On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins wrote: > > On

Re: GRE performance over the Internet - DDoS cloud mitigation

Depends on what performance considerations you are trying to address, technically. The question is how can we guarantee the GRE/BGP performance (control traffic) during the time between detection and mitigation? GRE decapsulation? IE: Hardware vs Software? Routing of the Protocol over the interne

Re: AT&T / Verizon DNS Flush?

The default TTL should be 300 secs, esp with everyone switching A records to cloud providers, imho. That way, who ever is the SOA and the zone master, can update it based on design scale or sla of that provider. DNS needs a protocol refresh anyways. Dennis B. On Apr 16, 2014 7:30 PM, "