On 6 Dec 2010, at 15:34, David Ulevitch wrote: > On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <[email protected]> wrote: >> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote: >> >>> Besides having *alot* of bandwidth theres not really much you can do to >>> mitigate. Once you have the bandwidth you can filter (w/good hardware). >>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. >> >> There is a variation on that theme. Using a distributed architecture >> (anycast, CDN, whatever), you can limit the attack to certain nodes. If you >> have 20 nodes and get attacked from a botnet China, only the users on the >> same node as the Chinese use will be down. The other 95% of your users will >> be fine. This is true even if you have 1 Gbps per node, and the attack is >> 100 Gbps strong. > > I think this is only true if you run your BGP session on a different > path (or have your provider pin down a static route). If you are > using BGP and run it on the same path, the 100Gbps will cause massive > packet loss and likely cause your BGP session to drop which will just > move the attack to another site, rinse / repeat. I don't think very > many people run BGP over a separate circuit, but for some folks, it > might be appropriate.
Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the BGP path. So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link. Thomas
