hi antonio On 07/06/16 at 05:36pm, Antonio Prado wrote: > > at BGP level, when an AS is DDoSed with a 10Gbps rate (or maybe more), 10Gbps ( bits/sec ) is not that big of an ISP but still not ez to DDoS it seems, some of the ISPs like to use RTBH for DDoS mitigation, but, that'd still imply they received the DDoS packets in order that they can /dev/null it ... i wonder why they don't traceroute back to the original attacker and have the local law enforcement come knocking on the door .. i ISP know where all the packets is coming from that they in turn fwd to the next hop > /usually/ there is a lot of gear inside an ISP that becomes unresponsive > before it can reach an iptables/firewall/ddos-mitigation box yup > so, dealing with iptables to sort out some local rate-limit effect > (until the pipe is not full) is ok, but it's useless if ASes don't > adhere to BCP38 or if they don't deploy BGPSec (for instance) yup magic pixie dust alvin -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
