* Richard Hesse
On Tue, Aug 27, 2013 at 12:14 PM, Joe Abley <jabley@hopcount.ca> wrote:
- response you can expect when you call one day and say "our 10GE is maxed out with inbound traffic from apparently everywhere, it has been going on for an hour, please help"
That was good for a laugh.
If it's a DoS, you know what the answer already is. "We no longer offer filtering for any of our customers. You must upgrade to the DDoS prevention service." We've actually made a list of other companies that share our providers' downstream links in each facility and reached out to them. We get them to call up and complain to said tier1 provider that "something is affecting our traffic." That usually gets filters installed....otherwise no dice.
Several providers have a self-service blackholing functionality which may alleviate DDoS attacks. Typically you announce the attacked /32 or a /128 to your upstreams, tagged with some special blackhole community, and/or to a special multihop BGP session dedicated for blackholing purposes. Doing so will cause your upstreams to automatically drop the attack traffic within their network, *before* it gets to saturate your uplinks. Clearly, this is a blunt and last-resort type of tool which will cement the efficiency of the attack from a global perspective, but that may be an acceptable trade-off depending on the circumstances; you may prevent collateral damage from impacting your other customers, and by cutting out global attack traffic might enable the attacked customer to serve his primary markets just fine through local peering sessions, regional transits, and so forth. I'm not buying transit from a network that don't give me such blackholing functionality, FWIW. Tore