But that's my point: many small operators don't have tools and/or staff to identify flows in order to police and/or drop the traffic, and definitely not a NOC that can intervene in under 5 minutes. How much simpler if there was a generic rule that said "no one IP can receive more than 200 Mbps", log on that, and then if it takes 30 or 90 minutes for someone to react, that's fine, but in the meantime other customers weren't affected. Frank -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of joel jaeggli Sent: Saturday, November 08, 2014 11:22 PM To: Roland Dobbins; NANOG Subject: Re: DDOS, IDS, RTBH, and Rate limiting On 11/8/14 6:28 PM, Roland Dobbins wrote:
On 9 Nov 2014, at 8:59, Frank Bulk wrote:
I've written it before: if there was a software feature in routers where I could specify the maximum rate any prefix size (up to /32) could receive, that would be very helpful.
QoS generally isn't a suitable mechanism for DDoS mitigation, as the programmatically-generated attack traffic ends up 'crowding out' legitimate traffic.
if you can identify attack traffic well enough to police it reliably then you can also drop it on the floor.
S/RTBH, flowspec, and other methods tend to produce better results.
yup.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>