Am 27.04.2016 um 18:09 schrieb Hank Nussbacher <hank@efes.iucc.ac.il>:
On 27/04/2016 18:58, John Kristoff wrote:
On Thu, 21 Apr 2016 09:46:13 +0200 Martin Bacher <ti14m028@technikum-wien.at> wrote:
- Intra-AS BGP FlowSpec deployment: Who is running it? For which kind of attacks are you using it? Are you only dropping or rate-limiting certain traffic or are you also using the redirect/remark capabilities? What are the limitations from your perspective? Are you facing any operational issues? How are you injecting the FlowSpec routes? Unless you received a number of private responses, perhaps the lack of public responses is telling. Geant runs a Firewall of Demand based on BGP Flowspec (Juniper routers). You can read more about it here: http://www.geant.org/Networks/Network_Operations/PublishingImages/Pages/Fire... https://www.terena.org/activities/tf-csirt/meeting44/Firewall%20on%20Demand_... Thank you Hank. That’s a pretty nice intra AS implementation with a nice interface for customers.
Cheers, Martin
Regards, Hank
I've heard of a few networks doing this and there is some public record of it being used, including one instance where a bad rule was behind a serious outage:
- Inter-AS: Who is running Inter-AS FlowSpec deployments? What is your experience? Are there any concerns regarding Inter-AS deployments? Has anyone done interop tests? You might mine public, archived BGP data and see if there are any traffic filtering rules present (they are encoded in extended communities, which are optional, transitive).
We once tried to coordinate an Inter-AS flow-spec project, but it failed miserably due to lack of interest. For posterity, here is the project page:
<https://www.cymru.com/jtk/misc/community-fs.html>
Literally the only people who were interested in it at the time was one of the spec's co-authors. :-)
Since then, we have tried a more modest approach using the well known BGP RTBH technique:
<https://www.cymru.com/jtk/misc/utrs.html>
This has been much more successful and since we've started we've probably had about a dozen networks express interest in flow-spec rules. Verification of rules is potentially tricky, but widespread interest still lags in my estimation.
- How are you detecting DDoS attacks (Netflow, in-line probes, ..?) and which applications are you using for the analysis (Peakflow, Open-Source tools, ..?) Not speaking for anyone in particular, but don't forget about user complaints. In some cases a network may not notice (or care) if an attack is below a certain threshold for their network, but above a stress point downstream.
John