+1, exactly what we did. I also recommend implementing
per-upstream/region blackhole communities (so your users can choose who
to blackhole as they see fit.)
Often time, DDoS traffic comes from regions that do not intersect with
legitimate traffic.
On 2/4/2019 03:15 午前, Tom Hill wrote:
On 31/01/2019 20:17, Nick Hilliard wrote:
you should implement a different community for upstream blackholing.
This should be stripped at your upstream links and replaced with the
provider's RTBH community. Your provider will then handle export
restrictions as they see fit.
This works wonderfully, from past experience. :)
