[c-nsp] Stop IP Fragmentation attck
Roland Dobbins
rdobbins at arbor.net
Tue Apr 26 16:59:34 EDT 2016
On 27 Apr 2016, at 3:33, Satish Patel wrote:
> 1. Does S/RTBH require BGP right?
> 2. To run BGP requirement is you have to be /24 class network right?
> (we are very small company)
As I already explained, the BGP triggering mechanism for S/RTBH and for
flowspec (if your platform supports it) has *nothing to do with
routing*, it is simply a control-plane trigger mechanism, in this
context. It has *nothing to do with your upstream transit provider*.
You can *do it locally on your own transit edge router*.
Read and absorb this .pdf preso:
<https://app.box.com/s/xznjloitly2apixr5xge>
> 3. DDoS has many many source IP address (spoofed) It's hard to block
You said that you were mainly suffering from UDP
reflection/amplification attacks. As I stated in a previous response in
this thread, those sources are *not* spoofed, from your perspective.
Please read and absorb this .pdf preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
> Source when million IP attacks, right?
You don't generally see a million IP addresses in UDP
reflection/amplification attacks. The good thing about the combination
of flow telemetry and S/RTBH are a) that you can tabulate the sources
and b) that S/RTBH scales up to the FIB limit of your router.
I mitigate DDoS attacks for a living, FYI. It might be a good idea to
read and absorb what I write and read and absorb the presos I post and
the links I post, because it sounds as if you can benefit from this
information.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the cisco-nsp
mailing list