level3 dia egress filtering?

Christopher_Rogers2 · May 12, 2014, 9:46pm

Does anyone have any experience dealing with level3 in trying to get egress
filters applied to an internet dia link with them?

I've been trying to get them to apply an egress filter to drop all of udp
to a certain /25 on my network that's been getting hammered by a dns
amplification attack, and I am being told that they can only 'drop an
entire protocol, and not to a specific ip address or range.'

Can anyone confirm if that's the case?

cheers
-chris

Petter_Bruland · May 12, 2014, 9:58pm

We contacted Level3 a few weeks back, and were told that they do not provide any filtering service.
I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with.

Currently looking into a DDoS protection service from Akamai. Sounds awesome what they can do, but often "awesome" translates to "overkill" and/or "too expensive".

-Petter

Bob_Evans · May 12, 2014, 10:20pm

Are you asking a transit network to filter specific ports as an end user
or as an ISP who has Level 3 as a transit provider?

I haven't seen a specific port could be dropped by any network....Only
aware of BGP community string like, 3356:9999 - black hole (discard all
traffic for specific IP range) traffic type abilities.

We have and will filter specific ports for customers. But this port type
ACL is completed by hand....I haven't seen anyone implement this using a
BGP community string.

Bob Evans
CTO
Fiber Internet CenterThank You
Bob Evans
CTO

Christopher_Rogers2 · May 12, 2014, 10:27pm

Not specific ports, but something more like:

'deny udp any my.target.slash.25 0.0.255.255'

BGP blackholing will obviously impact all traffic to a target.

-chris

Bob_Evans · May 12, 2014, 11:22pm

Ahh, Yep, same thing port and/or protocol for an address range. I haven't
seen that accomplished via BGP. I know ATT will do it - they want about 2K
more per month for that ability. All your traffic is redirected (extra
hops ) through a firewall. So, it's a basic expensive firewall service.

We have done both port based and protocol. But it gets installed by hand
only on the connected port the customer.

Bob Evans
CTO
Fiber Internet Center

Justin_M_Streiner · May 12, 2014, 10:59pm

outside of truly exceptional circumstances, or it's treated as a revenue source. If it's offered at all, it's often priced unattractively, because carriers often don't want to be in the firewall/port-filtering business.

jms

Ca_By · May 13, 2014, 2:02am

Ahh, Yep, same thing port and/or protocol for an address range. I

haven't

seen that accomplished via BGP. I know ATT will do it - they want about

2K

more per month for that ability. All your traffic is redirected (extra
hops ) through a firewall. So, it's a basic expensive firewall service.

We have done both port based and protocol. But it gets installed by hand
only on the connected port the customer.

From what I've seen, most of the major carriers don't filter traffic

outside of truly exceptional circumstances, or it's treated as a revenue
source. If it's offered at all, it's often priced unattractively, because
carriers often don't want to be in the firewall/port-filtering business.

jms

All my providers provide me incident response that includes rtbh as well as
ACL and in some cases protocol rate limiting. ACL may take a while working
the phone, but rtbh is immediate.

I substanilly decreased business with at&t since they do not offer rtbh.
Rtbh is really the floor on security features, and at&t is below the floor.

CB

Mark_Tinka1 · May 13, 2014, 9:02am

We've received such requests from customers as well, and our
policy is we do not implement any kind of filtering, even
though it is restricted to just one customer.

If the customer is looking for DoS/DDoS Mitigation services,
that is something else that can be offered.

But as an ISP, filtering in the data plane that is not for
the protection of our core's control plane is not our deal.
It is not something I'd ask of my IP Transit provider, nor
support that they do.

Mark.

Blake_Dunlap1 · May 13, 2014, 1:51pm

I would personally look at leaving Level 3 over that kind of response.
I consider it basic service to throw a 1 line acl on an interface
temporarily in exceptional circumstances. Transit guys can argue if
they wish, but it won't change my expectations as a customer.
Eventually I'll find a carrier that will offer reasonable service.

I know it's why I kept UUnet back in the day, and dropped all my other
providers at the time. Heck ATT even blackholed our traffic with a
static null, so we were broken even after depeering for several hours
until we could find someone who knew what a route was via their
support.

-Blake

Paul_S · May 13, 2014, 2:08pm

You can't really have your cake, and eat it too.

If this is a deal breaker for anyone, getting it in writing within the contract should be the most basic of steps to undertake. Asking beforehand will also actually let you know who will and won't do this, thus avoid surprises like these altogether.

Otherwise, as Mark mentioned, they're entirely within the contractual agreement.

Mark_Tinka1 · May 13, 2014, 2:21pm

I suppose the question then becomes your and the ISP's
interpretation of "exceptional circumstances".

Mark.