[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DDOS solution recommendation
Iâ??m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper routers, but they are in production and I donâ??t think I want to touch flowspec on them just yet.
Does anyone have any experience or any ideas here? Even openbgpd?
> On Jan 11, 2015, at 6:58 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
>
> On 11 Jan 2015, at 20:52, Ca By wrote:
>
>> 1. BCP38 protects your neighbor, do it.
>
> It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc.
>
>> 2. Protect yourself by having your upstream police Police UDP to some
>> baseline you are comfortable with.
>
> This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks.
>
> You can only really do this for ntp.
>
>> 3. Have RTBH ready for some special case.
>
> S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>