Would the tunnel problems be solved if you peered with them in a datacenter?
----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Zach Underwood" <[email protected]> To: "AnimalFarm Microwave Users Group" <[email protected]> Sent: Wednesday, January 20, 2021 8:23:43 PM Subject: Re: [AFMUG] DDOS on cgnat Remote ddos protection has a few points. The below applies to ddos protection that can not normally be in the traffic flow. 1. It can break ipsec tunnels that where setup prior to the mitigation. We stay this alot at arbor, it is do to when the ipsec tunnel comes up the mtu becomes fixed. When you swing the traffic into mitigation the new mtu end to end is now smaller then when the tunnel came up. We would tell client to hard set a smaller mtu like 14xx something in the ipsec so the tunnels would stay up during the mitigation. Otherwise the tunnel would have to be bounced to come back up. 2. To bring the clean traffic back into the network the most common is gre tunnels but this is really limited to 1-2 gbps on most platforms 3. The good remote ddos protection is very expensive 4. You will need a min of a /24 that you have permission to allow another AS to announce the prefix 5. Most service base pricing on gbps of clean traffic coming off the backend. On Wed, Jan 20, 2021, 8:50 PM Dev < [email protected] > wrote: If you do BGP you can send it to a black hole, otherwise if the link is truly saturated and unusable, you’ll probably be talking upstream to someone who can help. Later you can buy proxy scrubbing services or get an Arbor box, but that probably doesn’t help you now. > On Jan 20, 2021, at 3:55 PM, Matt Hoppes < [email protected] > > wrote: > > Any ideas how to mitigate DDOS attacks when you’re on CGNAT with maybe 100 > people behind one IP concentrator? > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
