Blocking based on source, not destination which much kit will happily do in silicon for you - " //ip verify unicast/ source reachable-via any/" in IOS-speak. Team Cymru have a good guide on this at http://www.team-cymru.org/Services/Bogons/bgp.html which is aimed at those using their Bogons BGP service, but it works just as well if you're providing your own source of known-bad IPs and distributing to all your edge devices via BGP.
If you have good real-time reporting of Netflow statistics, you can identify sources via high pps quickly and add them to your blackhole list. One caveat is that it's generally a harder sell to management as there are no glossy brochures for them to look at. On 29/04/2013 16:20, Neil J. McRae wrote: > the below is true but means you typically bin the good traffic to your > customer also... > > Sent from my iPad > > On 29 Apr 2013, at 16:00, "Zoë O'Connell" <[email protected] > <mailto:[email protected]>> wrote: > >> On 29/04/2013 12:53, Simon Green wrote: >>> >>> We’re looking at DDoS mitigation options at the moment, and one >>> vendor we’ve spoken to has recommended NSFOCUS and their ADS line. >>> Has anybody had any experience with these or similar, and also any >>> ideas on competitor costs? >>> >> >> I've not used that particular brand, but I have not yet come across a >> DDoS attack that could not be mitigated by a combination of >> remote-triggered blackhole routing, upstreams willing to filter and >> decent firewall/UTM devices. The only time a company I've worked for >> has had to disconnect a customer due to an attack was a shared >> hosting customer where it was decided as director level that it >> simply wasn't worth spending any time whatsoever on it. >> >> What the DDoS protection boxes generally buy you is a marginally >> faster response in some cases and the ability to get some sort of >> limited response when senior staff are not immediately available. >> They are also useful as one element of an overall DDoS mitigation >> strategy if you expect to come under serious, repeated attack due to >> the nature of the site you host. (E.g. finance or gambling related)
