RE: attacking DDOS using BGP communities?

[alex () yuriev com]

> Interesting -- I was actually having a conversation about this very same
> thing with a friend of mine a few days ago.  The problem we had, was
> that he had next-hop-self on all of his ibgp mesh routers.  Does that
> not make it difficult to put an ip next-hop in?  Also, would that ip
> next-hop be propagated throughout his mesh or would that same route-map
> have to be present on all the edge routers?
>
> The other thing we were toying with was a setting the administrative
> distance for said black-holed route to be less than that of his igp and
> having his IGP route to 127.0.0.1 or something.

        Again, by doing this you are denying service since you are dropping
all the packets addressed to the target. Such protection mounts another DOS
attack on the target, this time by preventing any packets traveling though
your network from reaching the targets, as opposite to preventing DDOS from
using your network.
        If such system is implemented, the DOS attacks will become a lot
harder to trace and chase after, since the attackers will simply trigger
target blackholing.

Alex