Re: BGP FlowSpec

[Martin Bacher <ti14m028 () technikum-wien at>]

> Am 03.05.2016 um 00:06 schrieb Roland Dobbins <rdobbins () arbor net>:
>
> On 3 May 2016, at 4:51, jim deleskie wrote:
>
> > I was going to avoid this thread because I've never been a huge fan of Flowspec for my own reasons.
>
> Flowspec is an extremely useful tool, IMHO - not only for direct, layer-4-granular mitigation leveraging linecard 
> ASICs, but for more granular and selective diversion into mitigation centers, as well.  And its value is growing with 
> increased platform support.  It isn't perfect (nothing is), and operators must be aware of its 
> performance/scalability envelope on a given platform, but it's a great tool to have in the toolbox.
+1

> > I can say I, nor any of my peers ( in any sense of that word) that I have known, have wanted to keep "bad " traffic 
> > on our networks so we can bill for it.
>
> +1!
>
> I ran into this situation precisely twice early in the 'oughts ("Let the packets come!" was the quote which stood out 
> in my mind); those espousing it pretty quickly changed their tunes once their networks had been knocked flat a couple 
> of times.
Let the packets come is not the message. But an upstream ISP can either drop the traffic to reduce the impact on the 
own network and the customers which are not attacked directly or remark and/or rate-limit the particular flows with 
nearly, of course not for the customer under attack, the same result. And please don’t get me wrong. I am not a fan of 
implementing it that way. 

I also want to add something to keeping bad traffic: Well, nobody wants to keep bad traffic. But that does not imply 
that all upstream ISPs are filtering out attacks by default for customers which are not paying for that. This is at 
least my interpretation from reading the various available DDoS reports and research papers. 

> ;>
>
> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>