On Tue, May 31, 2011 at 3:06 PM, Deepak Jain <deepak@ai.net> wrote:
Let's not ignore the value of DNS with a short ttl time. It may not be "as quick" as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service "instantly" [faster than getting someone on the phone to coordinate the change, etc].
Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation.
also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. -chris
Normally when mitigation is put in place, they advertise a more specific prefix from as26415, scrub the traffic and hand it back to you over a gre tunnel...
Obviously some design consideration goes into having services in prefixes you're willing to de-agg in such a fashion... I'd also recommend advertising the more specific out your own ingress paths before they pull your route otherwise the churn while various ASes grind through their longer backup routes takes a while.
On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote:
ms made by the product descriptions seem suspect to me.
it claims to be "Carrier-agnostic and ISP-neutral", yet "When an
detected, Verisign will work with the customer to redirect Internet
event is traffic
destined for the protected service to a Verisign Internet Defense Network site."
anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack?
Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you can provide such services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work.
You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS.
(RPKI could also be a future challenge for such service, but one could previously sign ROAs to be used in an attack response)
Rubens