Follow

How does AARNet mitigate DoS and DDoS attacks?

It is important to note that there isn't one single way to deal with DoS and DDoS attacks, but here is some information about how AARNet deals with them.

AARNet deploys BCP38 on all customer connections

Best Current Practice 38 – RFC2827 for internet service providers recommends “anti-spoofing” measures: utilizing ingress traffic filtering on customer interfaces to drop traffic that is originating from any source IP address which is not registered to that client. 

AARNet currently creates a BCP 38 filter on every AARNet4 customer connection, which only allows traffic that we expect that customer to be sending. This means that any traffic sent to AARNet that is not from the IP ranges registered by that customer with AARNet will be dropped at our router.

AARNet offers clients the ability to remotely trigger filtering of their traffic via a black hole route

Remote Triggered Black Hole Filtering – RFC5635 has been available to AARNet customers since early 2003.

If a customer detects DoS/DDoS traffic destined towards one or more of their IP addresses, they can announce specific routes corresponding to these IP addresses to their upstream AARNet router with a BGP community tag of 7575:6.  

The AARNet network, upon receiving these routes, will drop the traffic destined to that IP address on all of the AARNet routers, stopping the traffic from reaching the customer’s network.  The traffic is dropped by AARNet backbone routers as soon as it enters the AARNet network from our upstream internet transit providers.

Alternatively, an AARNet customer can contact the AARNet NOC via phone or email and request that DoS/DDoS traffic be black-holed manually.

NOC monitoring

The AARNet 24x7 NOC monitors network traffic. If they notice any abnormal traffic, they will investigate. Please note that given bandwidth capacity within the AARNet network, we may not detect all types of abnormal traffic.