nanog mailing list archives
Re: UUNet Offer New Protection Against DDoS
From: James <haesu () towardex com>
Date: Thu, 4 Mar 2004 04:23:27 -0500
in our case, we do the following setup: 1. allow up to /32 within customer's prefix(es) 2. check for 27552:666 (null comm), if matched, set to null'd nexthop 3. now match any prefixes that are longer than /22 on 0.0.0.0/1, that are longer than /22 on 128.0.0.0/2, that are longer than /24 on 192.0.0.0/3. if any of these longer prefixes are matched, tag them with 27552:31337 (which is our equivalent of no-export). If a customer has a legitimate reason to send a /24 within say, 0.0.0.0/1, then we can always override it by adding a deny rule to the matching prefix-list used by the route-map. 4. finally, add maximum-prefix limit to 500 I'll be more than glad to provide config template if anyone is interested. Also have ipv6 version of it as well if interested. -J On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your customer prefix filters.. that is, we have prefix-lists for prefix and length. Therefore at present we can only accept a tagged route for a whole block.. not good if the announcement is a /16 etc !MCI handles this by only filtering on prefix, not length. Well, allowing you to only announce up to your length, not shorter, but longer is allowed.Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in addition we have an extra filter which overrides anything that would deny anything longer than a /24. I'm not keen to change that.. LART appears to have little or no effect with my customers, preemption appears to be the only way! SteveNow, I could do as per the website at secsup.org which means we have a route-map entry to match the community before the filtering .. but that would allow the customer to null route any ip. What we need is one to allow them to announce any route including more specifics of the prefix list - how are folks doing this?It's not hard. I think the old UUNET just used standard ACLs (1->99). :) But with prefix filters, you can set gt & lt prefix lengths on the filters trivially. Of course, your customers can then deaggregate to their hearts content. If they do, you should hunt them down and LART them. But it is useful for some things, especially when combined with no_export, the black-hole communities, or other communities.
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james () towardex com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
Current thread:
- RE: UUNet Offer New Protection Against DDoS, (continued)
- RE: UUNet Offer New Protection Against DDoS Douglas.Dever (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Terranson, Alif (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason (Mar 03)
- Re: UUNet Offer New Protection Against DDoS james (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Michael Hallgren (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS David Barak (Mar 03)
- Re: UUNet Offer New Protection Against DDoS James (Mar 04)
- Re: UUNet Offer New Protection Against DDoS james (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Mark Kasten (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Randy Bush (Mar 03)
- Message not available
- Re: UUNet Offer New Protection Against DDoS Suresh Ramasubramanian (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Paul (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Steve Francis (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Christopher L. Morrow (Mar 05)
- RE: UUNet Offer New Protection Against DDoS Michael Hallgren (Mar 05)