Remote ddos protection has a few points. The below applies to ddos protection that can not normally be in the traffic flow. 1. It can break ipsec tunnels that where setup prior to the mitigation. We stay this alot at arbor, it is do to when the ipsec tunnel comes up the mtu becomes fixed. When you swing the traffic into mitigation the new mtu end to end is now smaller then when the tunnel came up. We would tell client to hard set a smaller mtu like 14xx something in the ipsec so the tunnels would stay up during the mitigation. Otherwise the tunnel would have to be bounced to come back up. 2. To bring the clean traffic back into the network the most common is gre tunnels but this is really limited to 1-2 gbps on most platforms 3. The good remote ddos protection is very expensive 4. You will need a min of a /24 that you have permission to allow another AS to announce the prefix 5. Most service base pricing on gbps of clean traffic coming off the backend.
On Wed, Jan 20, 2021, 8:50 PM Dev <d...@logicalwebhost.com> wrote: > If you do BGP you can send it to a black hole, otherwise if the link is > truly saturated and unusable, you’ll probably be talking upstream to > someone who can help. Later you can buy proxy scrubbing services or get an > Arbor box, but that probably doesn’t help you now. > > > On Jan 20, 2021, at 3:55 PM, Matt Hoppes < > mattli...@rivervalleyinternet.net> wrote: > > > > Any ideas how to mitigate DDOS attacks when you’re on CGNAT with maybe > 100 people behind one IP concentrator? > > -- > > AF mailing list > > AF@af.afmug.com > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
