[nsp-sec] DDoS Chicken and Egg Problem

[Jason Gardiner]

Hey,

So we have some GigE feeds with an InterNAP that are rate limited.  A 
while back, we had a DoS attack that filled the pipe.  Unfortunately the 
provider is doing simple rate limiting, so BGP was caught up in the 
policing and the sessions dropped.

We are running remote triggered blackhole with the provider, but the 
whole exercise raised a very interesting question.  How does one send 
the BGP community trigger to the provider if the provider isn't doing 
anything to assure that the BGP session remains stable during an 
attack?  I suggested exempting BGP from policing to avoid the catch-22, 
but they didn't see value in doing so.

Any thoughts or recommendations would be appreciated.

-- 
Thanks,

Jason Gardiner
$company_name Engineering