On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobb...@arbor.net> wrote:
> > On 11 Jan 2015, at 20:52, Ca By wrote: > > 1. BCP38 protects your neighbor, do it. >> > > It's to protect yourself, as well. You should do it all the way down to > the transit customer aggregation edge, all the way down to the IDC access > layer, etc. > > 2. Protect yourself by having your upstream police Police UDP to some >> baseline you are comfortable with. >> > > This will come back to haunt you, when the programmatically-generated > attack traffic 'crowds out' the legitimate traffic and everything breaks. > > You can only really do this for ntp. I do it for all UDP. There are bw policers and pps policers. As I said, this is known to work for me. YMMV. It is a managed risk, like anything. There are no silver bullets. I feel bad for people developing things like QUIC and WebRTC on UDP. But. i have already informed them of this risk to using UDP instead of a new L4 protocol. Protip: UDP is a cesspool. Don't build things on a cesspool where the vast majority of traffic is illegitimate. Guilty by association is a real thing. UDP will not have a renaissance CB > > > 3. Have RTBH ready for some special case. >> > > S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> >