I think most here know (way better than me) the concepts of DDoS, anomaly detection, and reactions.

Some of the reactions that can be implemented to reduce the impact of an attack are Remote-Triggered BlackHole and FlowSpec Filtering.

In theory, using FlowSpec would be possible to de source the trigger of that FlowSpec announcement receives the measurements of the Flowspec-Enforcer-Box the measurements of those rules.
But in fact, considering FlowSpec-Enforcement as-a-service, I've never seen that happens between FlowSpec-RulesGenerator-Box and FlowSpec-Enforcer-Box that are operated by different organizations.
(If some company does, please let me know.)


So, in practical actions, the FlowSpec-RulesGenerator-Box needs to play a guessing game of how long will take until the attack ceases.
- First, send that FlowSpec Filtering for 3 minutes.
- After that initial timer expires and removing the FlowSpec Filtering, measure the Flows of his own equipment.
- If the attack is still there, re-announce the FlowSpec Filter Rule for more 15 minutes.
- Wait to expire again, if the attack is still there re-announce for more 30 minutes, and keep this on an eternal loop.

The same occurs with Remote-Triggered-Blackhole.
I need to remove it and feel it is still there.
And every time I do that, small partial outages occur at the destination network.


Have you already imagined if those who implemented the RTBH or FlowSpec could give you some feedback of how is the usage of that BH or FlowSpecDrop?

I really still don't know how to do this...
Or even know if already there is a solution to that and I'm trying to invent the wheel.

What do you think about that?
Any Ideas?



--
Douglas Fernando Fischer
Engº de Controle e Automação