nanog mailing list archives

Re: SYN flood messages flooding my mailbox

From: Curtis Villamizar <curtis () ans net>
Date: Mon, 23 Sep 1996 23:07:14 -0400


In message <199609232211.PAA02705 () quest quake net>, Vadim Antonov writes:

Curtis Villamizar <curtis () ans net> wrote:

I guess a picture would help:

    AS X R1  ------  AS Y R3
       |                |
       |                |
    AS X R2  ------  AS Y R4

If the route learned at AS Y R4 is preferred, AS Y R3 may get packets
although the forwarding entry (Fib) points toward AS Y R4, the LocRib
does not contain the entry (no preferred), only the AdjRibIn contains
the entry. If the filter must be set according to AdjRibIn,


That's what i meant.

you now have a filter list **in the forwarding path** considerably longer th

an

the current routing table.  Won't scale at the very least.


Not.  Every entry in the filter contains the following data:

      [Prefix] [Prefix Length] [Bitmask]

where bitmask has a bit per every interfaces, so the bit if set if
packet matching the prefix is allowed from that interface.

Since in practically all cases all prefixes (NOT routes!) found in
all RIBs are also found in FIB (exceptions are proxy aggregation
and/or restricted end-to-end reacheability) the size of the list
is the same as size of FIB.

In fact, you don't even need to keep a separate table.  Just add a
bitmask field to the FIB entries.

(On customer-access routers with many interfaces each allowing
only very small portion of routes in it may be more economical to
implement explicit per-interface lists than to add fields to FIB).


OK.  When you said "do this from BGP data" I didn't assume you'd be
tossing out the next-hop and just keeing the interface.  Although I
suppose a bitmap with a bit per active ARP entry could be used too (as
long as ARP entries could be keep a slot reserved after they expire
until all routes using the ARP entry are changed, which shouldn't be
long or there is a problem).

Basing this on the AdjRibIn is a more work than just reversing the
sense of the Fib but it does cover quite a few more cases.  Though not
all of them.

The transit providers still need to be able to trace attacks after the
fact since there is no filter that covers these cases and filters at
the fringes will be spotty deplomyments.

Curtis

- - - - - - - - - - - - - - - - -

Current thread:

Re: SYN flood messages flooding my mailbox, (continued)
- - - Re: SYN flood messages flooding my mailbox Jonathan M. Bresler (Sep 17)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 16)
  - Re: SYN flood messages flooding my mailbox alex (Sep 17)
  - Re: SYN flood messages flooding my mailbox Curtis Villamizar (Sep 17)
- Re: SYN flood messages flooding my mailbox Paul Ferguson (Sep 18)
  - Re: SYN flood messages flooding my mailbox Curtis Villamizar (Sep 18)
- Re: SYN flood messages flooding my mailbox Paul Ferguson (Sep 18)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 19)
  - Re: SYN flood messages flooding my mailbox Curtis Villamizar (Sep 23)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 23)
  - Re: SYN flood messages flooding my mailbox Curtis Villamizar (Sep 23)
- Re: SYN flood messages flooding my mailbox rwoundy (Sep 23)
  - Re: SYN flood messages flooding my mailbox Avi Freedman (Sep 23)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 23)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 24)
  - Re: SYN flood messages flooding my mailbox Curtis Villamizar (Sep 24)
- Re: SYN flood messages flooding my mailbox Vadim Antonov (Sep 24)