[c-nsp] BGP DFZ convergence time - FIB programming
Robert Raszuk
robert at raszuk.net
Sat Oct 13 17:01:28 EDT 2018
>
> Sounds standard practice.
>
This way of (D)DoS mitigation results with cutting the poor target
completely out of the network ... So the attacker succeeded very well with
your assistance as legitimate users can not any more reach the guy. Is it
his fault that he got attacked ?
Do you also do the same if this is transit traffic ?
When do you remove such black hole ? You look at the ingress counters to
the target ?
Did you ever instead of the above considered automation to apply at least
src-dst + ports filters with Flow Spec and just rate limit the malicious
distributed flows (rfc5575) ?
Thx,
R.
More information about the cisco-nsp
mailing list