Speaking for PCH, which operates the largest DNS CDN, what you’re discussing is similar to our practice, in effect. We have server clusters in 145 IXPs, including Switzerland. 90% of those advertise services only through peering, so, only to our peers at each specific exchange and their customers, but not to global transit. 10% of our locations also advertise services through global transit. In our experience, although the vast majority of our legitimate traffic is handled through peering, DDoS attacks rarely have any significant effect on the peering-only locations, while they have disproprortionately large effect on the sites with global transit.
As well, the inter-provider coordination and assistance, which we already do quite a bit of through NSP-Sec and INOC-DBA, is invaluable in mitigating the effects of DDoS attacks.
So, what’s being proposed seems eminently sensible to me, and PCH would happily participate, whether within a Swiss scope, or globally.
-Bill
On 2016-10-01 16:51, Fredy Kuenzler wrote: [..]
To achieve this I think we need a collaborative community effort setting up a common procedure and define a BGP communitiy with the effect "do not announce beyond Switzerland".
Great initiative! If you need extra hands, don't hesitate to yell...
Did you btw see: http://www.trustednetworksinitiative.nl/ https://www.nl-ix.net/solutions/security-solutions/trusted-routing https://ams-ix.net/technical/trusted-networks-initiative
We should have a Swiss equivalent:
- trusted and direct contacts
- require BCP38 where possible
- proper statistics/monitoring
- proper & standardized "You are DDoS'ing" notifications providing Flow info as "proof".
- proper & standardized "We put customer in walled garden"