On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 11 Jan 2015, at 20:52, Ca By wrote:
1. BCP38 protects your neighbor, do it.
It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc.
2. Protect yourself by having your upstream police Police UDP to some
baseline you are comfortable with.
This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks.
You can only really do this for ntp.
I do it for all UDP. There are bw policers and pps policers. As I said, this is known to work for me. YMMV. It is a managed risk, like anything. There are no silver bullets. I feel bad for people developing things like QUIC and WebRTC on UDP. But. i have already informed them of this risk to using UDP instead of a new L4 protocol. Protip: UDP is a cesspool. Don't build things on a cesspool where the vast majority of traffic is illegitimate. Guilty by association is a real thing. UDP will not have a renaissance CB
3. Have RTBH ready for some special case.
S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
----------------------------------- Roland Dobbins <rdobbins@arbor.net>