Trusted Networks Initiative: DDoS fallback set of AS'es
Christopher Morrow
morrowc.lists at gmail.com
Thu Apr 16 21:30:35 UTC 2015
On Thu, Apr 16, 2015 at 4:42 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 4/16/15 1:30 PM, Valdis.Kletnieks at vt.edu wrote:
>> On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
>>
>>> If you don't want packets from 1312 don't announce to them?
>>
>> I'm probably at least 4-5 AS's away, and you're probably routed to us
>> through Cogent or similar large transit. Feel free to not announce your
>> routes to Cogent because you don't want packets from my AS...
>>
>> (For whatever value of "Cogent" you have for your upstream)
>
> bearing in mind that transit providers rarely give you communities to
> influence their customers, just peers. There is an illusion of control
> that provider no export communities provide that always requires
> confirmation when applied. if 1312 buys the full internet cone they can
> also install a default. so they can send you packets even if they in
> fact do not have your route.
lesson learned don't use an example...
Note I also said:
" (or othersimilar options)."
(ha! here's more examples!)
o poison the route with remote asn' in the aspath! (except for
default followers)
o ask for packet filter from upstream isp
o stop announcing your route
o filter on your side of the fence.
in any case the idea still seems silly.
More information about the NANOG
mailing list