nanog mailing list archives
Re: Blackholes and IXs and Completing the Attack.
From: "Rick Astley" <jnanog () gmail com>
Date: Sat, 2 Feb 2008 20:02:06 -0500
While I am not sure I fully understand your suggestion, I don't think it would be that hard to set up manually. Sure it would require asking the individual peers for their black hole communities, but of they don't have one they are unlikely to honor the infrastructure you describe anyway. Assume your network is set up to discard packets marked with community 13005:666 Get a list of your peers blackhole communities, when you announce the route from a location on your network, tag it with community 13005:666 but also 1111:777, 2222:888 etc. for the individual peers from the source. This prevents you from having to update multiple policies in multiple locations for each attack. As long as they accept the /32 announced to them with their black hole community, they should discard the traffic without sending it to you. Not all peers will have a blackhole community, but you need some way to know when the attack is over to know when to withdraw the route, and they are useful for this. If you are real lazy, on the router you announce the black hole from, add an export policy that says from community 13005:666, then community add 1111:777, 2222:888 etc. This way you only need to: 1. Update one policy in one place when peers change 2. Announce the route from one location adding one community to it.
Current thread:
- Re: Blackholes and IXs and Completing the Attack. Paul Vixie (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Rick Astley (Feb 02)
- Message not available
- Re: Blackholes and IXs and Completing the Attack. Rick Astley (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Alex Pilosov (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 03)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Barry Greene (bgreene) (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)