From our perspective, we're talking 1 min averages with 5 min stop time for L3/L4 attacks. Even if these situations were apparent, they'd be short
Kenneth, That would also be my recommendation to this scenario. The only caveat would be to consider the risk in the service-policy dropping legit traffic because the policy. Often times, the PPS rates of a DDoS attack fill's the policy queue up with malicious packets, sending the legit packets into a 'blackhole' or whatever mechanism you use to discard. Rate-limiters / QoS / Service-policies are good for some use cases but not for others, I am confident we all agree. In this case, "buying" time by implementing some initiate tactics to maintain stability is well worth the risk of being hard down. While the mean-time to detect, alert, start blocking, and stop the attack is being completed by the Cloud Provider. lived. Ramy, Does this answer your question or give you some ideas? It was pointed out to me that this thread started June 8th, didn't see any other replies. DB On Wed, Jul 1, 2015 at 12:15 PM, Kenneth McRae <kenneth.mcrae@me.com> wrote:
How stable can GRE transports and BGP sessions be when under load?
I typically protect the BGP session by policing all traffic being delivered to the remote end except for BGP. Using this posture, my BGP session over GRE are stable; even under attack.
Kenneth
On Jun 30, 2015, at 01:37 PM, Dennis B <infinityape@gmail.com> wrote:
Roland,
Agreed, Ramy's scenario was not truly spot on, but his question still remains. Perf implications when cloud security providers time to detect/mitigate is X minutes. How stable can GRE transports and BGP sessions be when under load?
In my technical opinion, this is a valid argument, which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud.
Good topic, already some back-chatter personal opinions from Nanog lurkers!
Regards,
Dennis B.
On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 1 Jul 2015, at 1:37, Dennis B wrote:
Would you like to learn more? lol
I'm quite conversant with all these considerations, thanks.
OP asserted that BGP sessions for diversion into any cloud DDoS mitigation
service ran from the endpoint network through GRE tunnels to the
cloud-based mitigation provider. I was explaining that in most cloud
mitigation scenarios, GRE tunnels are used for re-injection of 'clean'
traffic to the endpoint networks.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>