On 3 May 2016, at 5:38, Martin Bacher wrote:
Let the packets come is not the message.
That was *precisely* the message which was spoken to me directly by a large regional CONUS ISP in mid-2003 or thereabouts. I know this; I was there. And it was the wrong message, as that particular ISP found out a couple of weeks later when their network was knocked flat and they lost customers because of it. A bit of schadenfreude might not have been out of place, for the less-charitably inclined.
or remark and/or rate-limit the particular flows with nearly, of course not for the customer under attack, the same result.
This is almost always a Bad Idea, because the programmatically-generated attack traffic ends up 'crowding out' the legitimate traffic. For some attacks which are obviously out-of-profile with regards to the attack targets, this isn't as much of a concern; some large network operators are doing this with regards to common UDP reflection/amplification traffic (but they're being careful about it). And that still doesn't address the issue of high-volume traffic choking peering/transit links, of course.
But that does not imply that all upstream ISPs are filtering out attacks by default for customers which are not paying for that.
Nobody here has said that. But some beneficiary collateral effects of this nature do show up, from time to time.
This is at least my interpretation from reading the various available DDoS reports and research papers.
You should probably be aware that you are likely conversing directly with the authors of/contributors to some of those very reports and research papers in this thread (depending on which reports and papers you mean), and that the people with whom you are interacting routinely mitigate DDoS attacks on the public Internet as part of their normal work routine - and have done so for many years. For many of us, this is not a theoretical discussion; and it would probably be a good idea to keep in mind that our contributions to this thread aren't based upon reading various reports and research papers, but rather upon our actions which generate the data and experiential observations upon which such reports and research papers are based. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>