We are working on a Mikrotik method of automatic detection and mitigation based on a firewall rule adding addresses to a list that are getting a certain number of packets per second, and then a script that adds that /32 to BGP networks for advertisement with the correct black hole community (HE.net), or black hole server (Cogent). It works in a lab setting, but we haven't had an attack since implementing the detection side only to our edge router.
On Mon, Apr 2, 2018 at 3:16 PM, Mathew Howard <[email protected]> wrote: > Yeah, something like that seems kind of pointless... even with 10Gbps, > there's a good chance it's going to just overload your upstreams anyway, > and just about any DDoS attack worth mentioning is going to kill 1Gbps > these days. DDoS mitigation on your upstreams would seem like a better way > to go to me. > > On Mon, Apr 2, 2018 at 3:08 PM, Seth Mattinen <[email protected]> wrote: > >> On 4/2/18 11:12, Paul McCall wrote: >> >>> Anybody used a device like this at Layer 2 in between your core and an >>> upstream?�� Purpose: Protection / Mitigation of DDOS attacks. >>> >>> http://www.serveru.us/en/ >>> >>> We have 1 Gbit interfaces currently, but that will jump up to 10Gbit >>> interfaces soon. >>> >>> >> >> Nowadays DDoS attacks can easily surpass 10Gbps, so I don't see the point >> of trying to do any on-net scrubbing unless you can bring more bandwidth to >> bear than the attacker can. >> > >
