[c-nsp] BGP DFZ convergence time - FIB programming
Nick Hilliard
nick at foobar.org
Sat Oct 13 17:22:51 EDT 2018
Robert Raszuk wrote on 13/10/2018 22:01:
> This way of (D)DoS mitigation results with cutting the poor target
> completely out of the network ... So the attacker succeeded very well
> with your assistance as legitimate users can not any more reach the
> guy.
service providers usually care more about the continuity of their
network than the uptime of a single IP address. If a network is hit by
a ddos which is 10x the ingress transit + peering capacity, most
sensible people are going to blackhole the affected IP address and also
signal to upstreams that it should be blackholed. Unless you set out to
design a network with enough capacity to withstand giant ddos events,
rtbh with upstream blackholing will remain a useful tool in the box.
> Is it his fault that he got attacked ?
Saturated network links don't have an opinion on blame.
But to bring things back to the topic, yes there are several
well-established cases where policy is applied to ingress ibgp sessions.
Nick
More information about the cisco-nsp
mailing list