On 01.10.2016 17:35, Gert Doering wrote:
I think this is an awesome idea.
The situation is similar here in DE - nobody could stand an 1 Tbit DDoS attack, and a large number of content offerings are targeted only to german speaking customers, so if DE/A/CH work, 99% of the customers are still able to reach the site.
Maybe we should widen the approach and define a collaborative BGP community "do announce only in country X", when X is some ISO-3166 country number? A prefix then can contain multiple communities, i.E. to cover the whole DACH region.
https://de.wikipedia.org/wiki/ISO-3166-1-Kodierliste
I'm not really sure how this would work in your example - what if you have two customers in a given BGP announcement, one of them *does* want to be reached world-wide (like, corporate VPNs) and the other one is attacked? Split the aggregate, or bit the bullet and have all of them with limited reach, for the time being?
I suppose the e-commerces using such a mechanism would be able to afford their own /24 and a decent block of IPv6 space (in other words: buy legacy PI or become LIR). Another option is new business for managed hosting "DDOS bullet proof Switzerland Hosting", where the hoster dedicates a /24 or bigger for permanent limited propagation.