[c-nsp] BGP flowspec S/RTBH for large DDoS
Roland Dobbins
rdobbins at arbor.net
Sun May 15 18:48:55 EDT 2016
On 16 May 2016, at 2:01, Satish Patel wrote:
> And they said BGP flowspec S/RTBH isn't useful for large number of
> sources attackers.
Wrong.
> We are getting 20G DDoS sometime on link and it has many many sources
> does S/RTBH with flowspec mitigate them?
S/RTBH and flowspec are two different things.
S/RTBH drops traffic based upon source or destination IP address. All
traffic from/to the IP address in question. You must enumerate the
attack sources, and do some script-fu to keep up with what's being
dropped, what shouldn't be dropped any more. The limit of sources your
can drop this way is basically limited by your FIB (including all the
other entries you have, of course).
> is there any limit of flowspec?
Of course. flowspec allows you to push ACL stanzas via BGP to your
edges. The number of stanzas you can push depends upon the hardware
platform you're using. A Cisco ASR9K w/Typhoon-based linecards can
handle about 4K stanzas per ASIC by default, for example. You don't
typically block sources with flowspec; instead, you push network access
policies.
They can be used together. Push network policies to screen
out-of-policy traffic at your edges, then use S/RTBH to drop attack
sources which are in-policy.
Why don't you just enable both of these functions, and play around with
them? That will give you an idea of how best you can use each one.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the cisco-nsp
mailing list