Since we see >1Tbps DDOS attacs in the wild, I suppose out-of-the-box DDOS mitigation suppliers have lost this race. There is no operator in Switzerland which can handle 1Tbps DDOS attacks.
When we saw DDOS against digitec.ch and others earlier this year, I was a bit surprised that none of the so called "experts" proposed regional BGP propagation as a remedy. Given that e-commerce such as digitec.ch is assumingly making 99.9% of the revenue within Switzerland, their prefix doesn't need to reachable from all over the world. If the prefix of a Swiss e-commerce would be reachable from Swiss broadband providers only, the DDOS is mitigated, as the vast majority of the botnet is lacking a route to the targeted victim IP address. To achieve this I think we need a collaborative community effort setting up a common procedure and define a BGP communitiy with the effect "do not announce beyond Switzerland". An e-commerce should be able to hit the button injecting this defined BGP community when under attack (or permanently, of course). I suppose to make this idea a success we need to have all major operators in Switzerland on board (3303, 6730, 6830) and I suppose the smaller operators will follow in their own interest to avoid blackholes. Anyone? I think it's good if a somewhat "neutral body" with decent BGP knowledge could take the lead for such a working group, maybe SWITCH or SwissIX? -- Fredy Kuenzler --------------------- Fiber7. No Limits. https://www.fiber7.ch --------------------- Init7 (Switzerland) Ltd. AS13030 St.-Georgen-Strasse 70 CH-8400 Winterthur Skype: flyingpotato Phone: +41 44 315 4400 Fax: +41 44 315 4401 Twitter: @init7 / @kuenzler http://www.init7.net/ _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
