This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
UKNOF, TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.
Daily listings are sent to bg
Lee,
I’m attending an Internet Integrity meeting hosted by globalcyberalliance.org
in a couple of weeks. I intend to discuss the topic there. I’ll also explore
with MANRS if it makes sense to have recommended actions for DDoS scrubbing
services.
It would be great to have the DDoS providers in
>> what's an as-set?
> An IRR object that contains ASNs and other as-sets. Generally used to
> represent a network’s customer cone.
ahhh. cool. i was worried you meant {1,2,3}, which is pretty much
dead.
randy
We're just working on a measurement paper about this:
Firstly, a measure in 2019 [1] shows that DDoS protection itself is not a major
cause of RPKI Invalid (contribute less than 1%).
Also, the propagation time for ROA usually takes 10 - 100 minutes, which is not
that long [2].
We found out that
On 18 Oct 2024, at 13:17, Randy Bush wrote:
>> In some cases, you can identify customers of DDoS mitigation services
>> by looking at as-sets published by these providers
>
> what's an as-set?
>
> randy
An IRR object that contains ASNs and other as-sets. Generally used to represent
a network’s cu
> In some cases, you can identify customers of DDoS mitigation services
> by looking at as-sets published by these providers
what's an as-set?
randy
Hi Rich,
What I see is a mix of approaches when announcing the more specific:
- retaining the original origin
- the origin of their upstream provider
- the origin of the scrubbing provider
I see no reliable way to determine which might be used. The organization
creating the ROA frequently doesn
DDoS mitigation providers normally originate a customer’s /24 or /48 with their
ASN as the origin. This prefix is the most specific prefix which covers the
customer’s IP(s) under attack that will be accepted on the Internet. If a
customer has created ROAs for the protected prefixes, they would
I'm very interested in this!
I'd suggest talking with the smart folks at globalcyberalliance.org, who now
operate MANRS. I'm sure Brad Gorman, the ARIN product owner for routing
security, is also close by.
I was going to suggest an informal BoF at NANOG next week, but I see you aren't
registe
DDoS mitigation services, particularly those that dynamically announce more
specific routes during an attack, add complexity when advising customers on
creating their RPKI-ROAs. Smaller organizations, often served by networks that
provide DDoS mitigation on their behalf, might be unaware of thes
10 matches
Mail list logo
