[FCIX] DDoS mitigation for peers

[Mike]

Hi,

     We are an ISP and have a certain amount of DDoS mitigation on our 
ip transit (RTBH advertised to iptransit, and BGP flowspec internal to 
us). This works to squelch ddos flows in most cases, even at the expense 
of that one end user that is the unfortunate target. However, this 
arrangement really only works because our ip transit honors a community 
that triggers RTBH so our transit links don't get smashed. In the case 
of a peer, such as you fine folks on fcix, however, we have no such 
luxury. The route-servers are just playing matchmaker so we know the l2 
nexthop for any route, but there is no direct BGP and thus no way to 
advertise an RTBH even assuming we knew which peer was sending to us in 
a hypothetical flood. In theory then, while ip transit can be mitigated, 
a peer sending a flood cannot (except by locally dropping the bad flows, 
which allows the peering port to be flooded).

     Surely, this situation has been thought about and someone has a 
well engineered solution to this problem? I think we likely could 
establish BGP peering across fcix and only allow peers that support 
RTBH, but that would exclude some who likely we may want peering with 
anyways because they have cool rainbow striped packets we also want in 
our network anyways, even if they might not support RTBH (I'm looking at 
you, AS399306!). I think the likelihood of a ddos being delivered over 
the peering connections is far less than the likelihood of being 
received over iptransit, still, it seems like this would be an issue to 
consider. And if we were to go thru the trouble of establishing BGP with 
everyone who says they can support RTBH, it seems like a huge 
administrative burden. Is there any other best practice solution or are 
we just on our own?


Mike Ireton

Your Town Online, Inc

AS11472