[c-nsp] DDOS Attacks Mitigation

Fri Nov 4 08:41:05 EDT 2016

Samir,

You'll run your inbound traffic through the mitigation provider, generally
by letting them preempt your announcements with their own (containing your
IP space.) I find that tweaking communities and AS-paths on my
announcements to try and accommodate this behavior to be a little bit
tedious because of all the peering dependencies and/or required upstream
functionality, so what we did was allow them to announce the more specifics
in our case -- ie: I announce aggregate blocks, they announce individual
/24s, etc. This works universally and is low-touch.

You'll then set up GRE tunnels to the provider, and when they receive the
traffic they will pass it to your designated GRE endpoints via those
tunnels.

Outbound traffic generally does not traverse the mitigation provider, and
it is not considered a stateful service.

Another thing to consider is that if you need to monitor inbound traffic or
catch it in edge ACLs, the traffic arriving at your peering edge is going
to be GRE until it hits your tunnel interfaces, so you may need to
re-position some things in order to accommodate that.

R

On Fri, Nov 4, 2016 at 3:04 AM, Samir Abid Al-mahdi via cisco-nsp <
cisco-nsp at puck.nether.net> wrote:

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ---------- Forwarded message ----------
> From: Samir Abid Al-mahdi <samir.abidali at gorannet.net>
> To: Arie Vayner <ariev at vayner.net>
> Cc: "cisco-nsp at pu ck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Fri, 4 Nov 2016 10:03:41 +0300
> Subject: Re: [c-nsp] DDOS Attacks Mitigation
> Hi Arie,
>
> Thank you for helping me,
>
> However the solution is not clear for me, online Anti-DDOS solutions works
> on service based, such as domains.
>
> We are an ISP that is under attacks and mainly the volume based DDOS
> attacks is majority of attacks and affecting the overall network
> performance. How will the online service can help in this ? does it mean
> the traffic has to pass through their system first ?
>
> Appreciate your support
>
> Best Regards
>
> On 30 October 2016 at 09:32, Arie Vayner <ariev at vayner.net> wrote:
>
> > Samir,
> >
> > There's quite a few cloud based DDoS
> > <https://www.google.com/search?q=ddos+protection+cloud+service>
> > protection/mitigation services. I would start there.
> > You upstream ISP may also have a service, so you should have a chat with
> > them.
> >
> > HTH
> > Arie
> >
> > On Sat, Oct 29, 2016 at 10:56 PM Samir Abid Al-mahdi via cisco-nsp <
> > cisco-nsp at puck.nether.net> wrote:
> >
> >> Dears Experts,
> >>
> >> We are facing frequent DDOS attacks to our network. We are leasing an
> >> internet circuit from our internet provider. On a daily basis we are
> >> getting DDOS attacks, our Internet Firewall is dropping the illegitimate
> >>  traffic, unfortunately, this still come on the expenses of our Internet
> >> circuit and we are getting saturated and bad notwork performance and our
> >> users start complaining.
> >>
> >> Is there a specific technology on the firewall to trigger a remote black
> >> hole or any other solution that is recommended for such setup, such us
> >> perhaps sending an equipment in the internet provider.
> >>
> >> Appreciate your continuous support.
> >>
> >>
> >> Best Regards
> >>
> >>
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: Samir Abid Al-mahdi via cisco-nsp <cisco-nsp at puck.nether.net>
> >> To: "cisco-nsp at pu ck.nether.net" <cisco-nsp at puck.nether.net>
> >> Cc:
> >> Date: Sun, 30 Oct 2016 01:56:28 -0400 (EDT)
> >> Subject: [c-nsp] DDOS Attacks Mitigation
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
>
>