Speaking for PCH, which operates the largest DNS CDN, what you’re discussing is similar to our practice, in effect. We have server clusters in 145 IXPs, including Switzerland. 90% of those advertise services only through peering, so, only to our peers at each specific exchange and their customers, but not to global transit. 10% of our locations also advertise services through global transit. In our experience, although the vast majority of our legitimate traffic is handled through peering, DDoS attacks rarely have any significant effect on the peering-only locations, while they have disproprortionately large effect on the sites with global transit.
As well, the inter-provider coordination and assistance, which we already do
quite a bit of through NSP-Sec and INOC-DBA, is invaluable in mitigating the
effects of DDoS attacks.
So, what’s being proposed seems eminently sensible to me, and PCH would happily
participate, whether within a Swiss scope, or globally.
-Bill
> On 2016-10-01 16:51, Fredy Kuenzler wrote:
> [..]
>> To achieve this I think we need a collaborative community effort
>> setting up a common procedure and define a BGP communitiy with the
>> effect "do not announce beyond Switzerland".
>
> Great initiative! If you need extra hands, don't hesitate to yell...
>
> Did you btw see:
> http://www.trustednetworksinitiative.nl/
> https://www.nl-ix.net/solutions/security-solutions/trusted-routing
> https://ams-ix.net/technical/trusted-networks-initiative
>
> We should have a Swiss equivalent:
> - trusted and direct contacts
> - require BCP38 where possible
> - proper statistics/monitoring
> - proper & standardized "You are DDoS'ing" notifications
> providing Flow info as "proof".
> - proper & standardized "We put customer in walled garden"
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
