On Tue, Jul 29, 2003 at 04:33:28PM -0700, Lane Patterson wrote: [ obnoxious text wordwrapped :) ]
We have some DDoS-sensitive customers asking us to refer them to the best ISPs for "in-the-core" DDoS defense. Other than UUnet (hi Chris!) and MFN, I'm not aware of any ISPs in North America developing a reputation for consistent DDoS defense. Could folks contact me either off-list or on-list?
It seems that large content providers and Tier2/3 bandwidth buyers would do well to collaborate on group RFP's for this type of thing to send the message to ISPs it is something to invest in (dare I say productize?). While UUnet's detection/blocking is great, it would be wonderful to see some more intelligent filtering of DDoS traffic ala RiverHead or similar approach that doesn't completely blackhole victim IPs.
Well, there are a few things/issues here. One is the "security" of such filtering. As many times as it's come up here saying "Filter your customers, it's important", how many people out there have a strict policy for filtering them? Would you want these same customers and providers that can not get the filtering right in the first place to have the ability to accidentally (or intentionally) leak a blackhole route to your larger network? Yes, there is the ability to log bgp updates to have accountability amongst other things, but the more serious issue is that people are not doing effective filtering [of announcements] in the first place. As far as I can tell these days, the US depends on the Internet to be a utility. Always-on, and there is (for the most part) sufficent interconnection that the choice between the top few providers isn't as much a technical decision, but more of a financial one. (There is no need to connect to MCI, Sprint and UUNet each to avoid the peering congestion points as in the past). Equinix itself is demonstrating this with your "change providers monthly" service that you offer. I think it will be some time before there will be adoption of this across most of the networks. We want people to contact our security team instead of "blackhole and forget" type solutions. If someone abuses the PSTN, or other networks they eventually will get their service terminated. If people abuse their access by launching DoS attacks, we need to catch them and get their access terminated. It's a bit harder to trace than PSTN (or other netowrks) but I feel of value to do so. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.