[FCIX] DDoS mitigation for peers

Mike Damm md at m-d.net
Mon Jan 23 16:21:27 PST 2023 

I think you want UTRS.  It is a trusted community where you can push a
prefix and all the other members blackhole it at their network edges.
https://www.team-cymru.com/ddos-mitigration-services

Team Cymru are good people. If you need any help getting it setup, feel
free to ping me off-list.

On Mon, Jan 23, 2023 at 4:15 PM Mike via Members <members at fcix.net> wrote:

> Hi,
>
>      We are an ISP and have a certain amount of DDoS mitigation on our
> ip transit (RTBH advertised to iptransit, and BGP flowspec internal to
> us). This works to squelch ddos flows in most cases, even at the expense
> of that one end user that is the unfortunate target. However, this
> arrangement really only works because our ip transit honors a community
> that triggers RTBH so our transit links don't get smashed. In the case
> of a peer, such as you fine folks on fcix, however, we have no such
> luxury. The route-servers are just playing matchmaker so we know the l2
> nexthop for any route, but there is no direct BGP and thus no way to
> advertise an RTBH even assuming we knew which peer was sending to us in
> a hypothetical flood. In theory then, while ip transit can be mitigated,
> a peer sending a flood cannot (except by locally dropping the bad flows,
> which allows the peering port to be flooded).
>
>      Surely, this situation has been thought about and someone has a
> well engineered solution to this problem? I think we likely could
> establish BGP peering across fcix and only allow peers that support
> RTBH, but that would exclude some who likely we may want peering with
> anyways because they have cool rainbow striped packets we also want in
> our network anyways, even if they might not support RTBH (I'm looking at
> you, AS399306!). I think the likelihood of a ddos being delivered over
> the peering connections is far less than the likelihood of being
> received over iptransit, still, it seems like this would be an issue to
> consider. And if we were to go thru the trouble of establishing BGP with
> everyone who says they can support RTBH, it seems like a huge
> administrative burden. Is there any other best practice solution or are
> we just on our own?
>
>
> Mike Ireton
>
> Your Town Online, Inc
>
> AS11472
>
>
>
>
>
>
> --
> Members mailing list
> Members at fcix.net
> https://mail.fcix.net/mailman/listinfo/members
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.fcix.net/pipermail/members/attachments/20230123/206d510f/attachment.htm>

More information about the Members mailing list