level3 dia egress filtering?
Does anyone have any experience dealing with level3 in trying to get egress filters applied to an internet dia link with them? I've been trying to get them to apply an egress filter to drop all of udp to a certain /25 on my network that's been getting hammered by a dns amplification attack, and I am being told that they can only 'drop an entire protocol, and not to a specific ip address or range.' Can anyone confirm if that's the case? cheers -chris
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with. Currently looking into a DDoS protection service from Akamai. Sounds awesome what they can do, but often "awesome" translates to "overkill" and/or "too expensive". -Petter -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Rogers Sent: Monday, May 12, 2014 2:47 PM To: nanog@nanog.org Subject: level3 dia egress filtering? Does anyone have any experience dealing with level3 in trying to get egress filters applied to an internet dia link with them? I've been trying to get them to apply an egress filter to drop all of udp to a certain /25 on my network that's been getting hammered by a dns amplification attack, and I am being told that they can only 'drop an entire protocol, and not to a specific ip address or range.' Can anyone confirm if that's the case? cheers -chris
Are you asking a transit network to filter specific ports as an end user or as an ISP who has Level 3 as a transit provider? I haven't seen a specific port could be dropped by any network....Only aware of BGP community string like, 3356:9999 - black hole (discard all traffic for specific IP range) traffic type abilities. We have and will filter specific ports for customers. But this port type ACL is completed by hand....I haven't seen anyone implement this using a BGP community string. Bob Evans CTO Fiber Internet CenterThank You Bob Evans CTO
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.
Currently looking into a DDoS protection service from Akamai. Sounds awesome what they can do, but often "awesome" translates to "overkill" and/or "too expensive".
-Petter
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Rogers Sent: Monday, May 12, 2014 2:47 PM To: nanog@nanog.org Subject: level3 dia egress filtering?
Does anyone have any experience dealing with level3 in trying to get egress filters applied to an internet dia link with them?
I've been trying to get them to apply an egress filter to drop all of udp to a certain /25 on my network that's been getting hammered by a dns amplification attack, and I am being told that they can only 'drop an entire protocol, and not to a specific ip address or range.'
Can anyone confirm if that's the case?
cheers -chris
Not specific ports, but something more like: 'deny udp any my.target.slash.25 0.0.255.255' BGP blackholing will obviously impact all traffic to a target. -chris 2014-05-12 15:20 GMT-07:00 Bob Evans <bob@fiberinternetcenter.com>:
Are you asking a transit network to filter specific ports as an end user or as an ISP who has Level 3 as a transit provider?
I haven't seen a specific port could be dropped by any network....Only aware of BGP community string like, 3356:9999 - black hole (discard all traffic for specific IP range) traffic type abilities.
We have and will filter specific ports for customers. But this port type ACL is completed by hand....I haven't seen anyone implement this using a BGP community string.
Bob Evans CTO Fiber Internet CenterThank You Bob Evans CTO
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.
Currently looking into a DDoS protection service from Akamai. Sounds awesome what they can do, but often "awesome" translates to "overkill" and/or "too expensive".
-Petter
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Rogers Sent: Monday, May 12, 2014 2:47 PM To: nanog@nanog.org Subject: level3 dia egress filtering?
Does anyone have any experience dealing with level3 in trying to get egress filters applied to an internet dia link with them?
I've been trying to get them to apply an egress filter to drop all of udp to a certain /25 on my network that's been getting hammered by a dns amplification attack, and I am being told that they can only 'drop an entire protocol, and not to a specific ip address or range.'
Can anyone confirm if that's the case?
cheers -chris
Ahh, Yep, same thing port and/or protocol for an address range. I haven't seen that accomplished via BGP. I know ATT will do it - they want about 2K more per month for that ability. All your traffic is redirected (extra hops ) through a firewall. So, it's a basic expensive firewall service. We have done both port based and protocol. But it gets installed by hand only on the connected port the customer. Bob Evans CTO Fiber Internet Center
Not specific ports, but something more like:
'deny udp any my.target.slash.25 0.0.255.255'
BGP blackholing will obviously impact all traffic to a target.
-chris
2014-05-12 15:20 GMT-07:00 Bob Evans <bob@fiberinternetcenter.com>:
Are you asking a transit network to filter specific ports as an end user or as an ISP who has Level 3 as a transit provider?
I haven't seen a specific port could be dropped by any network....Only aware of BGP community string like, 3356:9999 - black hole (discard all traffic for specific IP range) traffic type abilities.
We have and will filter specific ports for customers. But this port type ACL is completed by hand....I haven't seen anyone implement this using a BGP community string.
Bob Evans CTO Fiber Internet CenterThank You Bob Evans CTO
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.
Currently looking into a DDoS protection service from Akamai. Sounds awesome what they can do, but often "awesome" translates to "overkill" and/or "too expensive".
-Petter
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Rogers Sent: Monday, May 12, 2014 2:47 PM To: nanog@nanog.org Subject: level3 dia egress filtering?
Does anyone have any experience dealing with level3 in trying to get egress filters applied to an internet dia link with them?
I've been trying to get them to apply an egress filter to drop all of udp to a certain /25 on my network that's been getting hammered by a dns amplification attack, and I am being told that they can only 'drop an entire protocol, and not to a specific ip address or range.'
Can anyone confirm if that's the case?
cheers -chris
On Mon, 12 May 2014, Bob Evans wrote:
Ahh, Yep, same thing port and/or protocol for an address range. I haven't seen that accomplished via BGP. I know ATT will do it - they want about 2K more per month for that ability. All your traffic is redirected (extra hops ) through a firewall. So, it's a basic expensive firewall service.
We have done both port based and protocol. But it gets installed by hand only on the connected port the customer.
From what I've seen, most of the major carriers don't filter traffic outside of truly exceptional circumstances, or it's treated as a revenue source. If it's offered at all, it's often priced unattractively, because carriers often don't want to be in the firewall/port-filtering business.
jms
On May 12, 2014 6:53 PM, "Justin M. Streiner" <streiner@cluebyfour.org> wrote:
On Mon, 12 May 2014, Bob Evans wrote:
Ahh, Yep, same thing port and/or protocol for an address range. I
seen that accomplished via BGP. I know ATT will do it - they want about 2K more per month for that ability. All your traffic is redirected (extra hops ) through a firewall. So, it's a basic expensive firewall service.
We have done both port based and protocol. But it gets installed by hand only on the connected port the customer.
From what I've seen, most of the major carriers don't filter traffic outside of truly exceptional circumstances, or it's treated as a revenue
haven't source. If it's offered at all, it's often priced unattractively, because carriers often don't want to be in the firewall/port-filtering business.
jms
All my providers provide me incident response that includes rtbh as well as ACL and in some cases protocol rate limiting. ACL may take a while working the phone, but rtbh is immediate. I substanilly decreased business with at&t since they do not offer rtbh. Rtbh is really the floor on security features, and at&t is below the floor. CB
On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote:
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.
We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer. If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered. But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do. Mark.
I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service. I know it's why I kept UUnet back in the day, and dropped all my other providers at the time. Heck ATT even blackholed our traffic with a static null, so we were broken even after depeering for several hours until we could find someone who knew what a route was via their support. -Blake On Tue, May 13, 2014 at 4:02 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote:
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.
We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer.
If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered.
But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do.
Mark.
You can't really have your cake, and eat it too. If this is a deal breaker for anyone, getting it in writing within the contract should be the most basic of steps to undertake. Asking beforehand will also actually let you know who will and won't do this, thus avoid surprises like these altogether. Otherwise, as Mark mentioned, they're entirely within the contractual agreement. On 5/13/2014 午後 10:51, Blake Dunlap wrote:
I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service.
I know it's why I kept UUnet back in the day, and dropped all my other providers at the time. Heck ATT even blackholed our traffic with a static null, so we were broken even after depeering for several hours until we could find someone who knew what a route was via their support.
-Blake
On Tue, May 13, 2014 at 4:02 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote:
We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with. We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer.
If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered.
But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do.
Mark.
On Tuesday, May 13, 2014 03:51:56 PM Blake Dunlap wrote:
I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service.
I suppose the question then becomes your and the ISP's interpretation of "exceptional circumstances". Mark.
participants (8)
-
Blake Dunlap -
Bob Evans -
Ca By -
Christopher Rogers -
Justin M. Streiner -
Mark Tinka -
Paul S. -
Petter Bruland