mark@noc.mainstreet.net (Mark Kent) writes:
I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about ... But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1).
Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?
that seems hardly worthwhile. ddos is astonishingly easier to launch than to defend against. if you stop a flow the attacker *might* get bored and decide to do something else, but they could also decide to attack you from a different direction, or wait two days and do it all over again, and every time they attack and you defend it's 10 minutes of their time and 10 hours of yours. far better to involve law enforcement and get some bad guys arrested, if you possibly can. this changes your costs from 10 hours to 15 hours but it actually puts some chips on the table and makes the game worthwhile. -- Paul Vixie