Hi Roland, Thank you for your comments and resources. I think you may have misunderstood our email (we could've made our email more clear -- apologies).
The following is our explanation if we interpreted your email correctly. What we meant by "may not have necessary capacity" is that routers do not have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules against large-scale DDoS attacks without 1) incurring major collateral damage (e.g., deploy /16 source-based rules instead of /32 so that more DDoS traffic can be filtered while using less CAM/TCAM space), or 2) performance penalties that are introduced by deploying more filters than a router's data plane can support (i.e., data plane to control plane I/O limitation). We believe DDoS mitigation based on layer 3 and/or 4 information can be fine-grain. As a matter of fact, when we referred to fine-grained traffic filtering in our original email, we meant DDoS mitigation based on layer 3 and 4 information. I hope this addresses your concerns. Best, Lumin On Tue, Jan 14, 2020 at 2:31 PM Dobbins, Roland <roland.dobb...@netscout.com> wrote: > > On 14 Jan 2020, at 1:56, Lumin Shi wrote: > > > We believe that many routers on the Internet > > today may not have the necessary capacity to perform fine-grained > > traffic > > filtering, especially when facing a large-scale DDoS attack with or > > without > > IP spoofing. > > There are literally decades of information on these topics available > publicly. Router and switch ACLs (both static and dynamically-updated > via flow spec), D/RTBH, S/RTBH, intelligent DDoS mitigation systems > (IDMSes; full disclosure, I work for a a vendor of such systems), et. > al. are all used to mitigate DDoS attacks. > > Your comments about routers not having the 'capacity' (I think you mean > capability) to filter traffic due to a lack of granularity are > demonstrably inaccurate. While it's always useful to be able to parse > into packets as deeply as practicable in hardware, layer-4 granularity > has been and continues to be useful in mitigating DDoS attacks on an > ongoing basis. Whether or not the traffic in question is spoofed is > irrelevant, in this particular context. > > Here are some .pdf presentations on the general topic of DDoS > mitigation: > > <https://app.box.com/s/4h2l6f4m8is6jnwk28cg> > > There are lots of write-ups and videos of presentations given at > conferences like NANOG which address these issues; they can easily be > located via the use of search engines. > > -------------------------------------------- > Roland Dobbins <roland.dobb...@netscout.com> > >
