nanog mailing list archives

RE: UUNet Offer New Protection Against DDoS

From: "Lumenello, Jason" <jlumenello () xo com>
Date: Wed, 3 Mar 2004 16:15:44 -0500


XO set up a similar customer community last year for our customers to
trigger their own black hole at our edge. There is no such thing as an
original idea. :) This "promised response" probably means if you press 3
on your phone, you will get a CSR to open a ticket within 15 minutes.
Sounds like nice marketing.

Jason

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf

Of

Stephen Perciballi
Sent: Wednesday, March 03, 2004 12:25 PM
To: Andy Ellifson
Cc: nanog () merit edu
Subject: Re: UUNet Offer New Protection Against DDoS



To the best of my knowledge, MCI/UUNET ~was~ the first to implement

this.

I've
been using it for well over a year now.

The community is 701:9999.  Any route you tag with that community gets
dropped
accross the entire 701 edge.  Feel free to contact support and tell

them

you
want to setup the blackhole community if you are having any troubles.

[Wed, Mar 03, 2004 at 08:34:00AM -0800]
Andy Ellifson Inscribed these words...


When I first saw this post I thought that MCI/UU.Net implemented

some

DDOS

BGP community strings like CW implemented a month ago.  If only all

of

my

upstreams would have this type of BGP Community string my life would

be

made

easier.  Here is the customer release letter from from CW dated

Januray

23,

2004:

Dear Customer,

If you have received this email, you are either a direct customer of
AS3561, (i.e. you have registered a route object for a customer of

AS3561),

or are listed in the maintainer of a customer of AS3561.

AS3561 has implemented a blackhole/DDoS community string based

solution

to

aid customers in the mitigation of DoS attacks. If you are currently

running

BGP with us, you will be able to use this feature.

If you advertise a prefix (route) to us with the community string
3561:666, we will NULL route or 'blackhole' all traffic destined to

that

prefix. The prefixes accepted are based on the current prefix-list

generated

for you. Instead of doing exact match filtering, we will accept any

prefix

(more "specific") within your address block(s). e.g. if you have
192.168.0.0/16 registered, we will accept 192.168.0.0/16 upto /32 as

long as

the 3561:666 community string is attached.

Please ensure you are configured to send community strings and

understand

the impact of errant advertisements. Diligence should be used when
administrating this feature. Once the prefix is received and

propagated

within AS3561, all traffic destined to the prefix will be discarded

and

the

blackholing of traffic will continue as long as DDoS community

string is

being advertised. Neither Cable & Wireless nor AS3561 will be held

liable

or responsible for customers who errantly advertise prefixes with

the

blackhole community string.

If you wish to utilize this feature, you can verify our acceptance

of

the

advertised prefix by querying the AS3561 route server located at
http://lg.cw.net.

Please remember, we require you to complete a priority one incident

report

at http://www.security.cw.net (Report an Incident) and include

details

of the


attack. An email describing further details of the attack can be

sent to

security () cw net, please include the incident report number in the

subject to

assist in the tracking and documentation of the incident. This will

ensure

the attack is properly administrated handled by our Security and

Legal

Groups.



--- John Obi <dalnetuzer () yahoo com> wrote:

Hello Nanogers!

I'm happy to see this, and I hope C&W, Verio, and Level3 ..etc

will do

the

same!

MCI/WorldCom Monday unveiled a new service level agreement (SLA)

to

help IP

services customers thwart and defend against Internet viruses and

threats.


http://informationweek.securitypipeline.com/news/18201396

It's the right time before it's too late!

Regards,

-J


---------------------------------
Do you Yahoo!?
Yahoo! Search - Find what you're looking for faster.


--

Stephen (routerg)
irc.dks.ca

Current thread:

Re: UUNet Offer New Protection Against DDoS, (continued)
- - - Re: UUNet Offer New Protection Against DDoS Erik Haagsman (Mar 03)
  - Re: UUNet Offer New Protection Against DDoS Paul G (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Randy Bush (Mar 03)
  - Re: UUNet Offer New Protection Against DDoS Stephen Perciballi (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Andy Ellifson (Mar 03)
  - Re: UUNet Offer New Protection Against DDoS Stephen Perciballi (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Danny McPherson (Mar 03)
  - Re: UUNet Offer New Protection Against DDoS Rob Thomas (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Douglas.Dever (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Terranson, Alif (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason (Mar 03)
  - Re: UUNet Offer New Protection Against DDoS james (Mar 03)
    - RE: UUNet Offer New Protection Against DDoS Michael Hallgren (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS David Barak (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS James (Mar 04)
    - Re: UUNet Offer New Protection Against DDoS Mark Kasten (Mar 03)
    - Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 03)

(Thread continues...)