nanog mailing list archives
Re: attacking DDOS using BGP communities?
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Tue, 22 Oct 2002 09:12:37 +0200 (CEST)
Ok, I'm a bit late to the party but... On Fri, 18 Oct 2002, Saku Ytti wrote:
1) Signaling unwanted traffic. You would set community which would just inform that you are receiving unwanted traffic. This way responsible AS# with statistical netflow could easily automaticly search for these networks and report to NOC if both there is increased traffic to them and community is on.
Interesting idea. However, if people still don't bother to implement filters that make sure spoofed source addresses don't escape their network, will they do this?
2) 'TTL' community. You would have ~10 communities representing how many AS hops until route should not be advertised anymore. If you would experience DOS you'd start from TTL 1 and increase until DOS flow starts again, with any luck you would end up having very limited amount of AS# to communicate with in hopes of fixing their anti-spoofing filters and to catch malicious party.
Also interesting. I've been thinking about something similar for traffic engineering: a more specific announcement could disappear after 3 AS hops or so.
3) 'null route' community. This would only be useful if it would mean that you are also accepting more spesific annoucement, preferally even /32. Most people are propably crying about the idea already, but if you plan it wisely with prefix-limit setting it might not be suicide. Just remember that all downstream prefix-limit+your prefices must be smaller than what your upstream has set for prefix-limit, if this is not done then your downstreams can effectively trigger your upstream prefix-limit killing your connectivity.
Wouldn't it be enough to have this null route community in effect in your upstream network? The big disadvantage is that you're giving in to the DoS attack because the target address becomes unreachable. I've been thinking about a more advanced way of doing this where you redirect the traffic towards an affected host to some "filter box" that would then clean it up. See http://www.bgpexpert.com/antidos.php Iljitsch van Beijnum
Current thread:
- attacking DDOS using BGP communities? Saku Ytti (Oct 17)
- Message not available
- Re: attacking DDOS using BGP communities? Saku Ytti (Oct 18)
- Message not available
- Re: attacking DDOS using BGP communities? Saku Ytti (Oct 18)
- Re: attacking DDOS using BGP communities? Saku Ytti (Oct 18)
- Message not available
- Re: attacking DDOS using BGP communities? Iljitsch van Beijnum (Oct 22)
- Re: attacking DDOS using BGP communities? Hank Nussbacher (Oct 22)
- <Possible follow-ups>
- RE: attacking DDOS using BGP communities? Frank Scalzo (Oct 18)
- RE: attacking DDOS using BGP communities? Jason Lixfeld (Oct 18)
- RE: attacking DDOS using BGP communities? alex (Oct 18)
- RE: attacking DDOS using BGP communities? Christopher L. Morrow (Oct 18)
- RE: attacking DDOS using BGP communities? alex (Oct 18)
- RE: attacking DDOS using BGP communities? Jason Lixfeld (Oct 18)