On 6 Dec 2010, at 15:34, David Ulevitch wrote:
On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
Besides having *alot* of bandwidth theres not really much you can do to mitigate. Once you have the bandwidth you can filter (w/good hardware). Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong.
I think this is only true if you run your BGP session on a different path (or have your provider pin down a static route). If you are using BGP and run it on the same path, the 100Gbps will cause massive packet loss and likely cause your BGP session to drop which will just move the attack to another site, rinse / repeat. I don't think very many people run BGP over a separate circuit, but for some folks, it might be appropriate.
Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the BGP path. So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link. Thomas