nanog mailing list archives
RE: Blackholes and IXs and Completing the Attack.
From: Alex Pilosov <alex () pilosoft com>
Date: Sun, 3 Feb 2008 04:13:38 -0500 (EST)
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote:
I sincerely doubt that any backbone provider will filter at a /32. That means they have to check EVERY PACKET AT FULL IP DEST against your AS advertised routes. Since most backbone routers build circuits at the /18 and above mask on MPLS, just to keep up with traffic, I sincerely doubt they are going to expend the CPU, and potentially RAM, never mind prefix table entries (you know, those things we're running out of) to have a full table of every host that every hoster says is being DDOSed. In this case, there's a clear economic cost, for no economic benefit (they do actually make money delivering that DDOS traffic).
"most backbone routers build circuits at the /18 and above mask on MPLS" - that part is seriously funny. However: a) Yes, if such proposal was to be widely accepted, it would generate more entries in RIB/FIB. b) However, if this service was actually operated by IX's, the limits to prevent "too much" growth could be applied centrally (max-prefixes per ASN, automatic removal of those routes after X days, unless manually requested by host, etc). c) Since only your peers will have those :666 entries, it is less "route growth" than than the alternative of announcing the affected block as /24 (which you seem to suggest).
A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24.
That...is...perverted. Not to mention, you can't "cease advertising /24". what you would need to do is to deaggregate your (say) /20 into /21, /22, /23 and /24. That's 3 extra entries in FIB for everyone in the world to carry.
If you really want to be nice, they don't need to renumber, you just need to stop advertising the target subnet, change the DNS RR's and NAT at your borders, if you control DNS and IP. The added benefit of this is that you can swap them back when the DDOs is over, and they get to stay up while it's happening. All you need to do this is some spare, never to be allocated, IP space.
That...is...perverted. -alex [not speaking as mlc anything]
Current thread:
- RE: Blackholes and IXs and Completing the Attack., (continued)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Rick Astley (Feb 02)
- Message not available
- Re: Blackholes and IXs and Completing the Attack. Rick Astley (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Alex Pilosov (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 03)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Barry Greene (bgreene) (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
- Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 03)
- Re: Blackholes and IXs and Completing the Attack. Matthew Moyle-Croft (Feb 03)
- RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)