On 14 Jan 2020, at 1:56, Lumin Shi wrote:
We believe that many routers on the Internet today may not have the necessary capacity to perform fine-grained traffic filtering, especially when facing a large-scale DDoS attack with or without IP spoofing.
There are literally decades of information on these topics available publicly. Router and switch ACLs (both static and dynamically-updated via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems (IDMSes; full disclosure, I work for a a vendor of such systems), et. al. are all used to mitigate DDoS attacks. Your comments about routers not having the 'capacity' (I think you mean capability) to filter traffic due to a lack of granularity are demonstrably inaccurate. While it's always useful to be able to parse into packets as deeply as practicable in hardware, layer-4 granularity has been and continues to be useful in mitigating DDoS attacks on an ongoing basis. Whether or not the traffic in question is spoofed is irrelevant, in this particular context. Here are some .pdf presentations on the general topic of DDoS mitigation: <https://app.box.com/s/4h2l6f4m8is6jnwk28cg> There are lots of write-ups and videos of presentations given at conferences like NANOG which address these issues; they can easily be located via the use of search engines. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>