Let's not ignore the value of DNS with a short ttl time. It may not be "as quick" as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service "instantly" [faster than getting someone on the phone to coordinate the change, etc].
Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation. DJ > > Normally when mitigation is put in place, they advertise a more > specific prefix from as26415, scrub the traffic and hand it back to you > over a gre tunnel... > > Obviously some design consideration goes into having services in > prefixes you're willing to de-agg in such a fashion... I'd also > recommend advertising the more specific out your own ingress paths > before they pull your route otherwise the churn while various ASes > grind through their longer backup routes takes a while. > > On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote: > > > ms made by the product descriptions seem suspect to me. > >> > >> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an > event is > >> detected, Verisign will work with the customer to redirect Internet > traffic > >> destined for the protected service to a Verisign Internet Defense > Network > >> site." > >> > >> anyone here have any comments on how this works, and how effective > it will be > >> vs. dealing directly with your upstream providers and getting them > to assist > >> in shutting down the attack? > > > > Anyone willing to announce your IP blocks under attack, receive the > > traffic and then tunnel the non-attack traffic back to you can > provide > > such services without cooperation from your upstreams. I don't know > > the details about this particular provider, such as if they announce > > your blocks from yours or theirs ASN, if they use more specifics, > > communities or is simply very well connected, but as BGP on the DFZ > > goes, it can work. > > > > You might need to get your upstreams to not filter announcements from > > your IP block they receive, because that would prevent mitigation for > > attack traffic from inside your upstream AS. > > > > (RPKI could also be a future challenge for such service, but one > could > > previously sign ROAs to be used in an attack response) > > > > Rubens > > >