On 18 Mar 2015, at 13:32, Mark Tinka wrote:
That's one of two issues - if the sources are overwhelming how does one scale that up without the use of some scrubbing service? Writing data plane filters that are customer-specific works (assuming you have the hardware for it), but can get unwieldy.
Some operators have specialized DDoS mitigation capabilities. Others rely exclusively on basic network infrastructure-based mechanisms like D/RTBH, S/RTBH, and/or flowspec.
The other issues are the chance to boo-boo things when filtering a customer-facing port, and/or forgetting to remove filters after they are needed and customer (or the remote end) ends up having reachability issues.
Sure. But this doesn't obviate the fact that cooperative DDoS mitigation amongst network operators routinely takes place on the Internet today, and is increasingly made available in one form or another to end-customers who request same. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>