[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Best way to get foreign ISPs to shut down DDoS reflectors?

On Thu, Apr 23, 2020 at 2:38 PM Shawn L via NANOG <nanog at nanog.org> wrote:
> This brings up an interesting question -- what is "good DDoS protection" on an ISP scale?  Apart from having enough bandwidth to weather the attack and having upstream providers attempt to filter it for you/

Hi Shawn,

I believe the normal mechanism is that you use BGP to sink the
impacted /24s at many high-bandwidth exchange points worldwide,
filter, and pass the traffic which  the filter accepts back to your
core infrastructure via a tunnel (VPN).

Build or buy.

If it's practical to sink the bandwidth near the DDOS target, I
wouldn't think it was much of a DDOS.

A question which interests me: How many attacks do folks find landing
in the middle-ground between "annoying but readily handled" and "far
beyond my ability?"

Bill Herrin

William Herrin
bill at herrin.us