Re: DDoS mitigation with BGP communities

["Pete Schroebel" <crossfire () smsonline net>]

> Hello,
>
>   I just experienced my first official DDoS attack against my network.
> I never realized how helpless I was :(.   I had roughly 70 mbps of
> traffic aimed at one IP.  The IP wasn't even in use,  I'm assuming
> someone typed the wrong IP and meant to send it somewhere else.  I shut
> it down by removing the /24 announcement.   This was fine except for
> the customers on that /24.   I know my upstreams have special
> communities I can set via BGP announcements that effectively say 'route
> packets to this network to null0'.   My question is,  what do I need to
> put on my router (i.e. code examples) to inject the /32 into the BGP
> announcements.   I try to be a good net citizen and announce aggregate
> blocks.  I had to break my /21 up so I could announce everything but
> the /24 in the middle.  Any help would be greatly appreciated.
>
> Routers are a couple 7500 series running 12.0.xx
>
>
> -Matt

Welcome to the Club, they will come again. Trust me I have had my share of
these for months now. They will come in variations from IOS exploits to UDP
and SYN attacks direct to IP addresses that are mounted or unmounted. Update
your Cisco's IOS they have holes in IOS. BGP holes in 12.0., etc . . .
Routing to Null0 is one method but, you are still routing it, just killing
packets. What kind of packets are they sending you?


Peter