How stable can GRE transports and BGP sessions be when under load?
I typically protect the BGP session by policing all traffic being delivered to the remote end except for BGP. Using this posture, my BGP session over GRE are stable; even under attack.
Kenneth
Kenneth,
That would also be my recommendation to this scenario. The only caveat
would be to consider the risk in the service-policy dropping legit traffic
because the policy. Often times, the PPS rates of a DDoS attack fill's the
policy queue up with malicious packets, sending the legit packets into a
'blackhole' or whatever mechanism you use to discard.
Rate-limiters / QoS / Service-policies are good for some use cases but not
for others, I am confident we all agree.
In this case, "buying" time by implementing some initiate tactics to
maintain stability is well worth the risk of being hard down. While the
mean-time to detect, alert, start blocking, and stop the attack is being
completed by the Cloud Provider.
From our perspective, we're talking 1 min averages with 5 min stop time for
L3/L4 attacks. Even if these situations were apparent, they'd be short
lived.
Ramy,
Does this answer your question or give you some ideas?
It was pointed out to me that this thread started June 8th, didn't see any
other replies.
DB