[FCIX] DDoS mitigation for peers

Nigel Vander Houwen nigel at nullroutenetworks.com
Mon Jan 23 16:29:10 PST 2023 

The route servers do support some communities, and can give you some control on what peers to allow in this hypothetical, even if not a specific RTBH /32.

https://fcix.net/rs-policy.html

Nigel

> On Jan 23, 2023, at 16:15, Mike via Members <members at fcix.net> wrote:
> 
> Hi,
> 
>     We are an ISP and have a certain amount of DDoS mitigation on our ip transit (RTBH advertised to iptransit, and BGP flowspec internal to us). This works to squelch ddos flows in most cases, even at the expense of that one end user that is the unfortunate target. However, this arrangement really only works because our ip transit honors a community that triggers RTBH so our transit links don't get smashed. In the case of a peer, such as you fine folks on fcix, however, we have no such luxury. The route-servers are just playing matchmaker so we know the l2 nexthop for any route, but there is no direct BGP and thus no way to advertise an RTBH even assuming we knew which peer was sending to us in a hypothetical flood. In theory then, while ip transit can be mitigated, a peer sending a flood cannot (except by locally dropping the bad flows, which allows the peering port to be flooded).
> 
>     Surely, this situation has been thought about and someone has a well engineered solution to this problem? I think we likely could establish BGP peering across fcix and only allow peers that support RTBH, but that would exclude some who likely we may want peering with anyways because they have cool rainbow striped packets we also want in our network anyways, even if they might not support RTBH (I'm looking at you, AS399306!). I think the likelihood of a ddos being delivered over the peering connections is far less than the likelihood of being received over iptransit, still, it seems like this would be an issue to consider. And if we were to go thru the trouble of establishing BGP with everyone who says they can support RTBH, it seems like a huge administrative burden. Is there any other best practice solution or are we just on our own?
> 
> 
> Mike Ireton
> 
> Your Town Online, Inc
> 
> AS11472
> 
> 
> 
> 
> 
> 
> -- 
> Members mailing list
> Members at fcix.net
> https://mail.fcix.net/mailman/listinfo/members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.fcix.net/pipermail/members/attachments/20230123/9151cb27/attachment-0001.htm>

More information about the Members mailing list