![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
RE: UUNet Offer New Protection Against DDoS
From: "Lumenello, Jason" <jlumenello () xo com>
Date: Wed, 3 Mar 2004 18:00:22 -0500
Oh, and I strip their communities, and apply no-export, on the first term of my route map so the /32 does not get out. Of course my peer facing policy requires specific communities to get out as well (belt and suspenders). This method works very well, and you do not have to give up length restrictions or maintain two sets of customer prefix/access lists. Jason
-----Original Message----- From: Lumenello, Jason Sent: Wednesday, March 03, 2004 4:52 PM To: 'Stephen J. Wilcox'; james Cc: nanog () merit edu Subject: RE: UUNet Offer New Protection Against DDoS I struggled with this, and came up with the following. We basically use a standard route-map for all customers where the
first
term looks for the community. The customer also has a prefix-list on
their
neighbor statement allowing their blocks le /32. The following terms
(term
2 and above) in the route-map which do NOT look for the customer
discard
community, have a different standard/generic prefix-list evaluation
which
blocks cruft and permits 0.0.0.0/0 ge 8 le 24. By doing this, I only accept a customer /32 from his dedicated
prefix-list
when it has the DOS discard community, otherwise I catch them with the
ge
8 le 24 in the following terms. Jason Lumenello IP Engineering XO Communications-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf
Of
Stephen J. Wilcox Sent: Wednesday, March 03, 2004 3:48 PM To: james Cc: nanog () merit edu Subject: Re: UUNet Offer New Protection Against DDoS I'm puzzled by one aspect on the implementation.. how to build your customer prefix filters.. that is, we have prefix-lists for prefix and
length.
Therefore at present we can only accept a tagged route for a whole block.. notgoodif the announcement is a /16 etc ! Now, I could do as per the website at secsup.org which means we have
a
route-map entry to match the community before the filtering .. but that wouldallowthe customer to null route any ip. What we need is one to allow them to announce any route including
more
specifics of the prefix list - how are folks doing this? Steve On Wed, 3 Mar 2004, james wrote:Global Crossing has this, already in production. I was on the phone with Qwest yesterday & this was one of this things I asked about. Qwest indicated they are going to deploy this shortly. (i.e., send routes tagged with a community which they will set to null) James Edwards Routing and Security jamesh () cybermesa com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
Current thread:
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS), (continued)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) vijay gill (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 06)
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 04)
- Re: UUNet Offer New Protection Against DDoS Avleen Vig (Mar 04)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Mark Kasten (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 04)