You can do one or more of these three options:
Drop packets at the edge, so your internal network doesn't get flooded.
Only works if your edge routers or scrubbing device can handle the load,
and your upstream connection is big enough to not be saturated.
Use BGP blackhole communities to have your upstream null route traffic
destined for a specific IP/subnet. Only works if the target(s) of the
DDoS are small (e.g. a single customer) and your upstream supports
blackholing.
Have a third party announce your space, scrub DDoS junk, and forward you
the rest. Will always work, but typically is 5 figures+ in monthly cost.
Third option is the easiest, and by far the most costly.
On 7/13/2017 3:59 PM, Dev wrote:
Yeah, our issue isn’t internal, and we already buy lots of bandwidth and have
very capable, very large routers, so unless DDoS protection is upstream before
it hits us, I don’t think it will work? We can’t reach the upstream network
when it’s flooded, so I think we’d have to route to some very large network
upstream from them that could handle this, and they scrub it and send it to us.
Akamai sounds good but expensive (maybe?), I’ve gotten a couple tips off list,
so thanks. I don’t know what anyone could do in this case with CCR routers
alone? Our upstream can do BGP.
There are companies where you can have them announce your IP space, and
they only send you the 'good' traffic. But it costs a hell of a lot more
than just upgrading your upstream for most smaller ISPs.
On 7/13/2017 10:19 AM, Kurt Fankhauser wrote:
Is there a way to do DDOS protection that doesn't involve buying a
bigger bandwidth pipe or initiating some sort of blackhole with your
upstream?
On Thu, Jul 13, 2017 at 10:10 AM, Mike Hammett <[email protected]
<mailto:[email protected]>> wrote:
I'm going to be implementing some on-net scrubbing boxes.
Obviously limited by upstream capacity, simply acquire more
upstream capacity. ;-)
--
Simon Westlake
Email: [email protected]
Phone: (702) 447-1247 US / (780) 900-1180 CA
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software
