Is it common practice to place your own equipment at the ISP? My thought is that if we are able to have our own routers at the ISP, we'd be in a better position to mitigate the effects of a DDOS. As long as the stream of traffic does not adversely affect our routers from performing properly at the ISP, we can then mitigate the effects through access-lists, QOS, etc. That is if the attack is not too distributed, where the source IPs with the highest amount of syn traffic for example can be easily identified.



Rick Cheung
NPI IT Wan Team, CCNP


-----Original Message-----
From: Pete Kruckenberg [mailto:pete@kruckenberg.com]
Sent: Wednesday, May 15, 2002 2:15 AM
To: nanog@merit.edu
Subject: Re: Arbor Networks DoS defense product



On Wed, 15 May 2002, Rubens Kuhl Jr. wrote:

> If and when
> (a) customers don't get exemption for attack traffic
> (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of
> the month per customer circuit
> (c) the DoS increases bytes transferred like large ICMP packet flood; this
> is not the case for all DoS traffic, which can be a bunch of small packets
> that actually decreases traffic

These might apply to noticeable DoS attacks that occur as
specific events. But how much (D)DoS traffic goes unnoticed
by the average customer because it's too tough to detect or
defend against? The 10% I've measured on my network is
primarily reflected DDoS (reflected off my customers, to
off-net targets), which is not trivial to detect or defend
against.

Pete.