Robert Raszuk wrote on 13/10/2018 22:01:
This way of (D)DoS mitigation results with cutting the poor target
completely out of the network ... So the attacker succeeded very well
with your assistance as legitimate users can not any more reach the
guy.
service providers usually care more about the continuity of their
network than the uptime of a single IP address. If a network is hit by
a ddos which is 10x the ingress transit + peering capacity, most
sensible people are going to blackhole the affected IP address and also
signal to upstreams that it should be blackholed. Unless you set out to
design a network with enough capacity to withstand giant ddos events,
rtbh with upstream blackholing will remain a useful tool in the box.
Is it his fault that he got attacked ?
Saturated network links don't have an opinion on blame.
But to bring things back to the topic, yes there are several
well-established cases where policy is applied to ingress ibgp sessions.
Nick
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
