[c-nsp] BGP DFZ convergence time - FIB programming
Mark Tinka
mark.tinka at seacom.mu
Sun Oct 14 05:57:45 EDT 2018
On 13/Oct/18 23:01, Robert Raszuk wrote:
>
> This way of (D)DoS mitigation results with cutting the poor target
> completely out of the network ... So the attacker succeeded very well
> with your assistance as legitimate users can not any more reach the
> guy. Is it his fault that he got attacked ?
>
> Do you also do the same if this is transit traffic ?
>
> When do you remove such black hole ? You look at the ingress counters
> to the target ?
>
> Did you ever instead of the above considered automation to apply at
> least src-dst + ports filters with Flow Spec and just rate limit the
> malicious distributed flows (rfc5575) ?
We provide 2 options - the poor man's one (which completes the attack)
and the paid-for one, which cleans the attack.
Mark.
More information about the cisco-nsp
mailing list