On Tue, 5 Jan 2010 04:20:51 +0000 "Dobbins, Roland" <rdobbins@arbor.net> wrote:
S/RTBH and/or flow-spec are great DDoS mitigation tools which don't require any further investment beyond the network infrastructure an operator has already purchased and deployed. These should be the first mitigation tools anyone deploys; in many cases, they're all that's needed.
I still wish we would have had something like Bellovin's Pushback implemented as a separate protocol rather than flow-spec over BGP, but having lost that battle we have been playing around with a (free) community, but vetted participant, flow-spec over BGP service if folks are interested in trying it out. Just shoot me note offline. You need an ASN, a flow-spec capable router and must be a verifiable admin/sec contact for said ASN (whatever that means :-). Basic idea is for folks who want to receive one or more sets of flow-spec feeds and/or inject things they want others to filter on (limited to your own routes) you can do so. No need for direct peering and like you say Roland, many networks already have all they need to start doing these sorts of things. Please note, we realize there are a variety of issues in implementing this sort of thing, but if we can find a way to make it trustworthy and workable, that is why we're here. Those not familiar with flow-spec can read up: <http://tools.ietf.org/html/rfc5575> In a nutshell, distributed router filters via BGP. John