We’ve had great luck with Kentik (https://www.kentik.com/) as a general netflow tool to at least identity DDoS sources/targets (not to mention a very well rounded tool for analyzing flow data coupled with BGP info/sankey diagrams, as well).

From a mitigation perspective, hopefully your upstream providers support D/RTBH at a minimum. If they don’t, vote with your wallet and go somewhere that does.

Set up your IBGP mesh with a blackhole community and local null routing, with respective policies and communities on your transit edges matching their blackhole communities. In theory, you should be able to add a null route anywhere in your ibgp mesh, and have network wide black holing that also triggers upstream blackholing as well. Ideally, you’d have some sort of standalone trigger router with OOB access that you can use to originate those routes into BGP.

Bonus points for automating that process, or giving tech actionable alert to copy/paste into a router.

--
Andrew Hoyos
[log in to unmask]



> On Jul 30, 2016, at 4:35 PM, Dave Williams <[log in to unmask]> wrote:
>
> Hi all – I know this isn’t a MICE specific question, but I can’t think of a better group of people to ask!  I was wondering if anyone could share their strategy for DDoS detection and mitigation?  We randomly have troubles with it and as you can imagine it’s quite the pain!
> Thanks in advance!
> d
>
> Dave Williams
> Founder / Visionary
> Revelation Network Management, Inc.
> O: 763.367.6161
> C: 763.670.5558
>
>

> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
>