Hi,
Scenario:
DDoS attack discovered on 10gb link to a subscriber. As an ISP we send the subscribers address (Destination) to the Blackhole so the DDoS attack is eliminated from our network. We investigate and find one of the IPs used. The obvious problem here is "When do we allow traffic back to that subscriber without having to ask upstream ISP"? This presents a problem. So, we think "I know, why don't we use one of our queues, set it to 1kb and send the traffic from the source to that queue, thus negating the DDoS attack and allowing the other legitimate traffic to the subscriber".....
So, there is the scenario, and now here is the question:
Is there a way of using CoS to separate traffic based on source address and send that traffic to a queue?
Obviously there is a simpler method of just blocking that address and sending the traffic to a null interface, however, from my understanding this method is utilised AFTER the traffic has entered the physical interface whereas the CoS option can separate this AT the physical interface, thus negating Bandwidth consumption at the interface level....