----- Original Message ----- From: Frank Bulk <frnkblk@iname.com> To: nanog@nanog.org Cc: Sent: Saturday, September 19, 2015 12:54 PM Subject: DDoS auto-mitigation best practices (for eyeball networks) Could the community share some DDoS auto-mitigation best practices for eyeball networks, where the target is a residential broadband subscriber? I'm not asking so much about the customer communication as much as configuration of any thresholds or settings, such as: - minimum traffic volume before responding (for volumetric attacks) - minimum time to wait before responding - filter percentage: 100% of the traffic toward target (or if volumetric, just a certain percentage)? - time before mitigation is automatically removed - and if the attack should recur shortly thereafter, time to respond and remove again - use of an upstream provider(s) mitigation services versus one's own mitigation tools - network placement of mitigation (presumably upstream as possible) - and anything else I ask about best practice for broadband subscribers on eyeball networks because it's different environment than data center and hosting environments or when one's network is being used to DDoS a target. Regards, Frank Frank, If you figure out a way to protect residential-BB-clients, I would love to know! Regards, ./Randy