nanog mailing list archives
Re: engineering --> ddos and flooding
From: Hank Nussbacher <hank () att net il>
Date: Mon, 04 Jun 2001 07:13:23 +0200
At 14:36 01/06/01 -0400, Mark Mentovai wrote:
Walter Prue wrote: >I came up with a solution for networks with ISP connections to deal >quickly with DDOS attacks without having to be able to work with a >network technician at the ISP for immediate relief. If the ISP agrees, >install a second low speed connection to the same router your primary >router BGP peers with. Through this low speed connection you run a >second bgp session advertising the /32 that is being attacked by the >DDOS. You mark the /32 as NO-ADVERTISE so the route doesn't leave the >border router. Or, without adding an extra connection, negotiate a NULLROUTE community with your upstream provider. This would be a wonderful addition to the well-known BGP communities. I'll bring this up on IDR.
Assuming not adding the extra connection, this means that upstream prefix filtering, so that one can't mistakenly inject 255 /24s rather than a single /16, would go out the window. Now think about /32s and what the routing tables will start to look like. Now consider that the upstream would also want to send to its upstream Tier-1 the NULLROUTE /32 as well so that his bandwidth is not eaten up as well and we have a situation whereby routing table size will triple in size every year.
-Hank
Mark
Current thread:
- Re: engineering --> ddos and flooding, (continued)
- Re: engineering --> ddos and flooding Jim Shankland (Jun 01)
- Re: engineering --> ddos and flooding Walter Prue (Jun 01)
- Re: engineering --> ddos and flooding lucifer (Jun 01)
- Re: engineering --> ddos and flooding Bill Woodcock (Jun 01)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 01)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 01)
- Re: engineering --> ddos and flooding Christopher A. Woodfield (Jun 01)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 01)
- Re: engineering --> ddos and flooding lucifer (Jun 01)
- Re: engineering --> ddos and flooding Hank Nussbacher (Jun 03)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 04)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 04)
- Re: engineering --> ddos and flooding Valdis . Kletnieks (Jun 04)
- Re: engineering --> ddos and flooding Dan Hollis (Jun 04)
- RE: engineering --> ddos and flooding Hank Nussbacher (Jun 04)