Hi Roland, Thank you for your comments and resources. I think you may have misunderstood our email (we could've made our email more clear -- apologies). The following is our explanation if we interpreted your email correctly. What we meant by "may not have necessary capacity" is that routers do not have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules against large-scale DDoS attacks without 1) incurring major collateral damage (e.g., deploy /16 source-based rules instead of /32 so that more DDoS traffic can be filtered while using less CAM/TCAM space), or 2) performance penalties that are introduced by deploying more filters than a router's data plane can support (i.e., data plane to control plane I/O limitation). We believe DDoS mitigation based on layer 3 and/or 4 information can be fine-grain. As a matter of fact, when we referred to fine-grained traffic filtering in our original email, we meant DDoS mitigation based on layer 3 and 4 information. I hope this addresses your concerns. Best, Lumin On Tue, Jan 14, 2020 at 2:31 PM Dobbins, Roland <Roland.Dobbins@netscout.com> wrote:
On 14 Jan 2020, at 1:56, Lumin Shi wrote:
We believe that many routers on the Internet today may not have the necessary capacity to perform fine-grained traffic filtering, especially when facing a large-scale DDoS attack with or without IP spoofing.
There are literally decades of information on these topics available publicly. Router and switch ACLs (both static and dynamically-updated via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems (IDMSes; full disclosure, I work for a a vendor of such systems), et. al. are all used to mitigate DDoS attacks.
Your comments about routers not having the 'capacity' (I think you mean capability) to filter traffic due to a lack of granularity are demonstrably inaccurate. While it's always useful to be able to parse into packets as deeply as practicable in hardware, layer-4 granularity has been and continues to be useful in mitigating DDoS attacks on an ongoing basis. Whether or not the traffic in question is spoofed is irrelevant, in this particular context.
Here are some .pdf presentations on the general topic of DDoS mitigation:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
There are lots of write-ups and videos of presentations given at conferences like NANOG which address these issues; they can easily be located via the use of search engines.
-------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>