On Sun, 9 Nov 2014, Roland Dobbins wrote:
On 9 Nov 2014, at 10:12, Jon Lewis wrote:
The tricky part is when to remove the route...since you can't tell if the attack has ended while the target is black holed by your upstreams.
You can with NetFlow, if you've D/RTBHed the IP in question on your own infrastructure. NetFlow reports statistics on dropped traffic (except on a few platforms with implementation deficiencies).
I'm assuming from the OP's comment: "We set up BGP communities with our upstreams, and tested that RTBH can be set and it does work." that they have their upstreams null routing the traffic, so they no longer see the attack traffic.
But this kind of thing punishes the victim. It's far better to do everything possible to *protect* the target(s) of an attack, and only use D/RTBH as a last resort.
I'm sure it's not always the case, but in my experience as a SP, the victim virtually always did something to instigate the attack, and is usually someone you don't want as a customer. When I worked for a cloud hosting provider, the DDoS "victims" tended to be fraudulent signups who were doing malicious or anti-social things on the net and were not paying customers anyway. As someone else mentioned, it's better to sacrifice the one target and end the impact quickly than to piss off all or even some subset of your customers. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________