We are using Mikrotik for a BGP blackhole server that collects BOGONs from CYMRU and we also have our servers (web, email, etc.) use fail2ban to add a bad IP to the Mikrotik. We then use BGP on all our core routers to null route those IPs. The ban-time is for a few days, and totally dynamic, so it isn't a permanent ban. Seems to have cut down on the attempts considerably. Eric Rogers PDSConnect www.pdsconnect.me (317) 831-3000 x200 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins Sent: Wednesday, March 18, 2015 6:04 AM To: nanog@nanog.org Subject: Re: Getting hit hard by CHINANET On 18 Mar 2015, at 17:00, Roland Dobbins wrote:
This is not an optimal approach, and most providers are unlikely to engage in such behavior due to its potential negative impact (I'm assuming you mean via S/RTBH and/or flowspec).
Here's one counterexample: <https://ripe68.ripe.net/presentations/176-RIPE68_JSnijders_DDoS_Damage_ Control.pdf> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>