On Dec 19, 2013, at 6:12 AM, cb.list6 <cb.list6@gmail.com> wrote:
I am strongly considering having my upstreams to simply rate limit ipv4 UDP.
QoS is a very poor mechanism for remediating DDoS attacks. It ensures that programmatically-generated attack traffic will 'squeeze out' legitimate traffic.
During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen, whatever).
Have you checked to see whether you and/or your customers have open DNS recursors, misconfigured CPE devices, etc. which can be used as reflectors/amplifiers on your respective networks? Have you implemented NetFlow and S/RTBH? Considered building a mitigation center? <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html> Do you work with your peers/upstreams/downstreams to mitigate DDoS attacks when they ingress your network? There are lots of things one can do to increase one's ability to detect, classify, traceback, and mitigate DDoS attacks, yet which aren't CAPEX-intensive. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton