nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netscan.org update

From: "James A. T. Rice" <James_R-nanog () jump org uk>
Date: Sun, 24 Sep 2000 21:21:45 +0100 (BST)

On Sun, 24 Sep 2000, Troy Davis wrote:


/32 announcements filter the pre-amplification (attacker -> amplifier) 
traffic, which very likely takes a different path than post-amplification 
(amplifier -> victim) traffic.  Since using 1.2.3.255 as an amplifier can 
result in responses from other IPs within 1.2.3.0/24 (and occasionally 
even other netblocks), if the attacker <-> amplifier path doesn't accept 
the BGP feed, the attack will happen regardless of whether the victim's 
upstream accepts the BGP feed.

The /24 announcements filter [most of] the actual flood as well as the
amplifiers.


If you want to filter the flood rather than the pre-amplification, you'd
be trying to filter by source IP, rather than nullroute on destination ip,
which would require either policy routing, which is relativly expensive,
or something along the lines of ciscos ip verify unicast reverse path,
which you'd be lucky if you found an interface 'safe' to use it on. This
would be a LOT more work for people to set up than nullrouting the /32
broadcast addresses.

-James
Previous By Date Next
Previous By Thread Next

Current thread: