[c-nsp] Stop IP Fragmentation attck

Roland Dobbins rdobbins at arbor.net
Tue Apr 26 16:59:34 EDT 2016

On 27 Apr 2016, at 3:33, Satish Patel wrote:

> 1. Does S/RTBH require BGP right?
> 2. To run BGP requirement is you have to be /24 class network right?
> (we are very small company)

As I already explained, the BGP triggering mechanism for S/RTBH and for 
flowspec (if your platform supports it) has *nothing to do with 
routing*, it is simply a control-plane trigger mechanism, in this 
context.  It has *nothing to do with your upstream transit provider*.  
You can *do it locally on your own transit edge router*.

Read and absorb this .pdf preso:


> 3. DDoS has many many source IP address (spoofed) It's hard to block

You said that you were mainly suffering from UDP 
reflection/amplification attacks.  As I stated in a previous response in 
this thread, those sources are *not* spoofed, from your perspective.  
Please read and absorb this .pdf preso:


> Source when million IP attacks, right?

You don't generally see a million IP addresses in UDP 
reflection/amplification attacks.  The good thing about the combination 
of flow telemetry and S/RTBH are a) that you can tabulate the sources 
and b) that S/RTBH scales up to the FIB limit of your router.

I mitigate DDoS attacks for a living, FYI.  It might be a good idea to 
read and absorb what I write and read and absorb the presos I post and 
the links I post, because it sounds as if you can benefit from this 

Roland Dobbins <rdobbins at arbor.net>

More information about the cisco-nsp mailing list