Hi, just an idea for networks with small budget that do not want to blackhole the destination but also do not want attack traffic to enter their network:
Rent 1 additional ports from each upstream provider and convince the upstream provider to accept /32 routes without exporting them (I know not all will do this, this may be the hardest part of the whole szenario). Connect all those ports to a single Layer3 switch like a EX4550 or even smaller. Connect some cheap mitigation solution like Wanguard to it (don't know if similar software exists from other vendors). In attack case, let it send a /32 route with nexthop of the "scrubbing center" (scrubbing server or in case of multiple servers the EX that does ECMP to the servers). Connect the "scrubbing center" to your regular network with some very small rate (something below usual customer connection bandwidth). Even if the setup is unable to filter out the bad traffic this could remove the bottleneck between your upstream provider and your network for much less than what anti-ddos providers request. We use a similar setup inside our network (hanging between core and customer access layer, not between upstream and own equipment). In case of Wanguard detection spead is great (if you use a mirror-port + sniffer instead of flows), but filtering result is poor for everything more complex than a dns/ntp reflection (but that usually is the daily stuff). kind regards Rolf > Our ISP doesn't provide S/RTBH , also in DDoS S/RTBH not handy. > > -- > Sent from my iPhone > >> On Apr 15, 2016, at 5:41 PM, Roland Dobbins <[email protected]> wrote: >> >>> On 16 Apr 2016, at 3:51, Payam Chychi wrote: >>> >>> its all a very basic concept >> >> Concur 100%. >> >> And don't concentrate solely on D/RTBH, which completes the attack for >> the attacker - look at S/RTBH and flowspec, too. >> >> ----------------------------------- >> Roland Dobbins <[email protected]> >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
