On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote:
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that tell your peer router to drop traffic from those addresses. That way the target of the traffic can continue to function if the DDoS traffic doesn't closely mimic the normal traffic. Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? --Chris