> Am 27.04.2016 um 18:09 schrieb Hank Nussbacher <h...@efes.iucc.ac.il>: > > On 27/04/2016 18:58, John Kristoff wrote: >> On Thu, 21 Apr 2016 09:46:13 +0200 >> Martin Bacher <ti14m...@technikum-wien.at> wrote: >> >>> - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind >>> of attacks are you using it? Are you only dropping or rate-limiting >>> certain traffic or are you also using the redirect/remark >>> capabilities? What are the limitations from your perspective? Are you >>> facing any operational issues? How are you injecting the FlowSpec >>> routes? >> Unless you received a number of private responses, perhaps the lack of >> public responses is telling. > Geant runs a Firewall of Demand based on BGP Flowspec (Juniper > routers). You can read more about it here: > http://www.geant.org/Networks/Network_Operations/PublishingImages/Pages/Firewall-on-Demand/Firewall%20on%20Demand%20User%20Guide.pdf > https://www.terena.org/activities/tf-csirt/meeting44/Firewall%20on%20Demand_Las_Palmas.pdf Thank you Hank. That’s a pretty nice intra AS implementation with a nice interface for customers.
Cheers, Martin > > Regards, > Hank > >> >> I've heard of a few networks doing this and there is some public record >> of it being used, including one instance where a bad rule was behind a >> serious outage: >> >> >> <https://support.cloudflare.com/hc/en-us/articles/200172446-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013> >> >>> - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is >>> your experience? Are there any concerns regarding Inter-AS >>> deployments? Has anyone done interop tests? >> You might mine public, archived BGP data and see if there are any >> traffic filtering rules present (they are encoded in extended >> communities, which are optional, transitive). >> >> We once tried to coordinate an Inter-AS flow-spec project, but it >> failed miserably due to lack of interest. For posterity, here is the >> project page: >> >> <https://www.cymru.com/jtk/misc/community-fs.html> >> >> Literally the only people who were interested in it at the time was one >> of the spec's co-authors. :-) >> >> Since then, we have tried a more modest approach using the well known >> BGP RTBH technique: >> >> <https://www.cymru.com/jtk/misc/utrs.html> >> >> This has been much more successful and since we've started we've >> probably had about a dozen networks express interest in flow-spec >> rules. Verification of rules is potentially tricky, but >> widespread interest still lags in my estimation. >> >>> - How are you detecting DDoS attacks (Netflow, in-line probes, ..?) >>> and which applications are you using for the analysis (Peakflow, >>> Open-Source tools, ..?) >> Not speaking for anyone in particular, but don't forget about user >> complaints. In some cases a network may not notice (or care) if an >> attack is below a certain threshold for their network, but above a >> stress point downstream. >> >> John >> >
