Re: Effective ways to deal with DDoS attacks?

[Lincoln Dale <ltd () interlink com au>]

At 03:34 AM 5/05/2002 +0000, Christopher L. Morrow wrote:
> I was hoping someone else might mention this, BUT what about the case of
> customers providing transit for outbound but not inbound traffic for their
> customers?

two methods:
 [1] if your customer has their own AS, have them route the (valid) networks
     to you with the no-export bgp attribute set.

 [2] if they're not BGP connected, then surely you have some idea of what 
subnet(s)
     they're sending traffic out from? (i hope so).
     if so, then you'd have static-routes for those subnets pointing at 
their interface.
     you don't necessarily have to include those static-routes in 
announcements to
    your peers.

both of [1] & [2] may mean that more traffic may 'prefer' the link from you 
to the customer.  (probably doubly so given you're uunet and the amount of 
transit that goes thru you).  in that case, perhaps using the no-advertise 
community so that the route stays 'local' to a router (or local to a city) 
will prove sufficient.


cheers,

lincoln.