nanog mailing list archives
Re: UUNet Offer New Protection Against DDoS
From: Patrick W.Gilmore <patrick () ianai net>
Date: Wed, 3 Mar 2004 18:17:55 -0500
On Mar 3, 2004, at 5:51 PM, Lumenello, Jason wrote:
I struggled with this, and came up with the following. We basically use a standard route-map for all customers where the first term looks for the community. The customer also has a prefix-list on their neighbor statement allowing their blocks le /32. The following terms (term 2 and above) in the route-map which do NOT look for the customer discard community, have a different standard/generic prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le 24. By doing this, I only accept a customer /32 from his dedicated prefix-list when it has the DOS discard community, otherwise I catch them with the ge 8 le 24 in the following terms.
A lot of people seem to be doing this.Mind if I ask what's the harm of letting customers announce /32 or /29s into your core as long as you filter at your borders?
The additional prefixes are not going to kill your routers, and it allows the customer more finely tuned traffic controls. IOW: Seems there is some utility and no harm.
-- TTFN, patrick
Current thread:
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS), (continued)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) fingers (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Laurence F. Sheldon, Jr. (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) vijay gill (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 06)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 04)
- Re: UUNet Offer New Protection Against DDoS Avleen Vig (Mar 04)
- Re: UUNet Offer New Protection Against DDoS Mark Kasten (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 04)