On Tue, May 31, 2011 at 3:06 PM, Deepak Jain <[email protected]> wrote: > Let's not ignore the value of DNS with a short ttl time. It may not be "as > quick" as a BGP adjustment, but serves to provide a buttressed front-end IP > that can restore service "instantly" [faster than getting someone on the > phone to coordinate the change, etc]. > > Disclaimer: We provide a service for our customers that does substantially > this sort of DDOS mitigation. >
also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. -chris >> >> Normally when mitigation is put in place, they advertise a more >> specific prefix from as26415, scrub the traffic and hand it back to you >> over a gre tunnel... >> >> Obviously some design consideration goes into having services in >> prefixes you're willing to de-agg in such a fashion... I'd also >> recommend advertising the more specific out your own ingress paths >> before they pull your route otherwise the churn while various ASes >> grind through their longer backup routes takes a while. >> >> On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote: >> >> > ms made by the product descriptions seem suspect to me. >> >> >> >> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an >> event is >> >> detected, Verisign will work with the customer to redirect Internet >> traffic >> >> destined for the protected service to a Verisign Internet Defense >> Network >> >> site." >> >> >> >> anyone here have any comments on how this works, and how effective >> it will be >> >> vs. dealing directly with your upstream providers and getting them >> to assist >> >> in shutting down the attack? >> > >> > Anyone willing to announce your IP blocks under attack, receive the >> > traffic and then tunnel the non-attack traffic back to you can >> provide >> > such services without cooperation from your upstreams. I don't know >> > the details about this particular provider, such as if they announce >> > your blocks from yours or theirs ASN, if they use more specifics, >> > communities or is simply very well connected, but as BGP on the DFZ >> > goes, it can work. >> > >> > You might need to get your upstreams to not filter announcements from >> > your IP block they receive, because that would prevent mitigation for >> > attack traffic from inside your upstream AS. >> > >> > (RPKI could also be a future challenge for such service, but one >> could >> > previously sign ROAs to be used in an attack response) >> > >> > Rubens >> > >> > > >
