nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UUNet Offer New Protection Against DDoS

From: James <haesu () towardex com>
Date: Thu, 4 Mar 2004 04:23:27 -0500

        in our case, we do the following setup:

        1. allow up to /32 within customer's prefix(es)
        2. check for 27552:666 (null comm), if matched, set to null'd nexthop
        3. now match any prefixes that are longer than /22 on 0.0.0.0/1,
           that are longer than /22 on 128.0.0.0/2, that are longer than /24
           on 192.0.0.0/3. if any of these longer prefixes are matched, tag
           them with 27552:31337 (which is our equivalent of no-export).

             If a customer has a legitimate reason to send a /24 within say,
           0.0.0.0/1, then we can always override it by adding a deny rule to
           the matching prefix-list used by the route-map.

        4. finally, add maximum-prefix limit to 500

I'll be more than glad to provide config template if anyone is interested. Also
have ipv6 version of it as well if interested.

-J

        
On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:



I'm puzzled by one aspect on the implementation.. how to build your customer
prefix filters.. that is, we have prefix-lists for prefix and length.  
Therefore at present we can only accept a tagged route for a whole block..
not good if the announcement is a /16 etc !


MCI handles this by only filtering on prefix, not length.  Well, 
allowing you to only announce up to your length, not shorter, but 
longer is allowed.


Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in 
addition we have an extra filter which overrides anything that would deny 
anything longer than a /24. I'm not keen to change that.. LART appears to have 
little or no effect with my customers, preemption appears to be the only way!

Steve



Now, I could do as per the website at secsup.org which means we have a 
route-map
entry to match the community before the filtering .. but that would 
allow the
customer to null route any ip.

What we need is one to allow them to announce any route including more
specifics of the prefix list - how are folks doing this?


It's not hard.  I think the old UUNET just used standard ACLs (1->99). 
:)  But with prefix filters, you can set gt & lt prefix lengths on the 
filters trivially.

Of course, your customers can then deaggregate to their hearts content. 
  If they do, you should hunt them down and LART them.  But it is useful 
for some things, especially when combined with no_export, the 
black-hole communities, or other communities.




-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james () towardex com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
Previous By Date Next
Previous By Thread Next

Current thread: