On Dec 19, 2013 4:25 PM, "Dobbins, Roland" <rdobb...@arbor.net> wrote: > > > On Dec 19, 2013, at 6:12 AM, cb.list6 <cb.li...@gmail.com> wrote: > > > I am strongly considering having my upstreams to simply rate limit ipv4 UDP. > > QoS is a very poor mechanism for remediating DDoS attacks. It ensures that programmatically-generated attack traffic will 'squeeze out' legitimate traffic. >
I agree. But ... i am pretty sure i am going to do it. Trade offs. > > During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen, whatever). > > Have you checked to see whether you and/or your customers have open DNS recursors, misconfigured CPE devices, etc. which can be used as reflectors/amplifiers on your respective networks? > > Have you implemented NetFlow and S/RTBH? Considered building a mitigation center? > > <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html> > > Do you work with your peers/upstreams/downstreams to mitigate DDoS attacks when they ingress your network? > Not answering any of that. But thanks for asking. > There are lots of things one can do to increase one's ability to detect, classify, traceback, and mitigate DDoS attacks, yet which aren't CAPEX-intensive. > I think ipv4 udp is just going to become operationally deprecated. Too much pollution. It is really an epic amount of trash / value ratio in ipv4 udp. I recommend folks enable their auth dns servers for ipv6 ... and dont run open resolvers CB > ----------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > Luck is the residue of opportunity and design. > > -- John Milton > >
