I came up with a solution for networks with ISP connections to deal quickly with DDOS attacks without having to be able to work with a network technician at the ISP for immediate relief. If the ISP agrees, install a second low speed connection to the same router your primary router BGP peers with. Through this low speed connection you run a second bgp session advertising the /32 that is being attacked by the DDOS. You mark the /32 as NO-ADVERTISE so the route doesn't leave the border router. If you can't bgp peer with the same router as the primary connection you advertise the attacked /32 with the NO-EXPORT community so the route stays within the ISP's AS. This second low speed connection thus becomes a lightning rod for the DDOS traffic most of which will be discarded and not even delivered due to congestion on the slow speed link, the slower the better for you. This of course kills all traffic to the attacked node but the rest of the network remains usable. Then at least if the attack can be further defined you can contact your ISP for a port specific or source address specific filter so that more legitimate traffic can be accepted. Another approach might be for the ISP to take a low end router like a cisco 2600 and run multihop bgp with their customers who want this kind of service. The router would remap the next hop information for all routes it receives to null0 or perhaps a 100 Mb/s ethernet with nothing on it. It would also mark all the routes NO-EXPORT. Then only the single connection to the customer is needed. Two possible Achilles heal with this approach is that the multihop bgp session between the customer and the ISP's low end router may die under the flood of the attack. Also the low end router could drop it's IBGP peering if it becomes too flooded with the now redirected traffic. Of course appropriate route filtering would be essential so your customer could only advertise his own routes to be routed to a black hole. Walt