Hi Roland,

Thank you for your comments and resources.  I think you may have misunderstood our email (we could've made our email more clear -- apologies).

The following is our explanation if we interpreted your email correctly.

What we meant by "may not have necessary capacity" is that routers do not have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules against large-scale DDoS attacks without 1) incurring major collateral damage (e.g., deploy /16 source-based rules instead of /32 so that more DDoS traffic can be filtered while using less CAM/TCAM space), or 2) performance penalties that are introduced by deploying more filters than a router's data plane can support (i.e., data plane to control plane I/O limitation).

We believe DDoS mitigation based on layer 3 and/or 4 information can be fine-grain. As a matter of fact, when we referred to fine-grained traffic filtering in our original email, we meant DDoS mitigation based on layer 3 and 4 information.

I hope this addresses your concerns.

Best,
Lumin








On Tue, Jan 14, 2020 at 2:31 PM Dobbins, Roland <Roland.Dobbins@netscout.com> wrote:

On 14 Jan 2020, at 1:56, Lumin Shi wrote:

> We believe that many routers on the Internet
> today may not have the necessary capacity to perform fine-grained
> traffic
> filtering, especially when facing a large-scale DDoS attack with or
> without
> IP spoofing.

There are literally decades of information on these topics available
publicly.  Router and switch ACLs (both static and dynamically-updated
via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems
(IDMSes; full disclosure, I work for a a vendor of such systems), et.
al. are all used to mitigate DDoS attacks.

Your comments about routers not having the 'capacity' (I think you mean
capability) to filter traffic due to a lack of granularity are
demonstrably inaccurate.  While it's always useful to be able to parse
into packets as deeply as practicable in hardware, layer-4 granularity
has been and continues to be useful in mitigating DDoS attacks on an
ongoing basis.  Whether or not the traffic in question is spoofed is
irrelevant, in this particular context.

Here are some .pdf presentations on the general topic of DDoS
mitigation:

<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>

There are lots of write-ups and videos of presentations given at
conferences like NANOG which address these issues; they can easily be
located via the use of search engines.

--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com>