Re: netscan.org update

[Troy Davis <troy () nack net>]

On Sun, 24 Sep 2000, James A. T. Rice <James_R-nanog () jump org uk> wrote:

> Why aggregrate ? You could just announce the /32's of the actual broadcast
> addresses, and cause much less damage to other resources on that network.

/32 announcements filter the pre-amplification (attacker -> amplifier) 
traffic, which very likely takes a different path than post-amplification 
(amplifier -> victim) traffic.  Since using 1.2.3.255 as an amplifier can 
result in responses from other IPs within 1.2.3.0/24 (and occasionally 
even other netblocks), if the attacker <-> amplifier path doesn't accept 
the BGP feed, the attack will happen regardless of whether the victim's 
upstream accepts the BGP feed.

The /24 announcements filter [most of] the actual flood as well as the
amplifiers.

> Also if you do aggregrate, your blackhole route will probabally be less
> specific then the 'real' route, so the 'real' route and not the blackhole
> one is what would get used.

Good point.  Unaggregated /24s would be the way to go.  To keep the
number of routes managable, we would probably announce just those with a
high amplification ( > 10x).

Cheers,

Troy