[c-nsp] BGP flowspec S/RTBH for large DDoS

Satish Patel satish.txt at gmail.com
Sun May 15 19:39:53 EDT 2016 

First of all i need ASR9k so i am looking for hardware also i am
collecting information for flow specs, I think i need to talk to my
ISP and i am sure they will say we don't do flowspecs. but i have to
push it out asap.  I think most of ISP don't trust customer and they
won't allow this technologies.

On Sun, May 15, 2016 at 6:48 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
> On 16 May 2016, at 2:01, Satish Patel wrote:
>
>> And they said BGP flowspec S/RTBH isn't useful for large number of sources
>> attackers.
>
>
> Wrong.
>
>> We are getting 20G DDoS sometime on link and it has many many sources
>> does S/RTBH with flowspec mitigate them?
>
>
> S/RTBH and flowspec are two different things.
>
> S/RTBH drops traffic based upon source or destination IP address.  All
> traffic from/to the IP address in question.  You must enumerate the attack
> sources, and do some script-fu to keep up with what's being dropped, what
> shouldn't be dropped any more.  The limit of sources your can drop this way
> is basically limited by your FIB (including all the other entries you have,
> of course).
>
>> is there any limit of flowspec?
>
>
> Of course.  flowspec allows you to push ACL stanzas via BGP to your edges.
> The number of stanzas you can push depends upon the hardware platform you're
> using.  A Cisco ASR9K w/Typhoon-based linecards can handle about 4K stanzas
> per ASIC by default, for example.  You don't typically block sources with
> flowspec; instead, you push network access policies.
>
> They can be used together.  Push network policies to screen out-of-policy
> traffic at your edges, then use S/RTBH to drop attack sources which are
> in-policy.
>
> Why don't you just enable both of these functions, and play around with
> them?  That will give you an idea of how best you can use each one.
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list