engineering --> ddos and flooding
Sykes, Phil
Phil.Sykes at cweurope.net
Fri Jun 1 18:50:24 UTC 2001
Ooh, a good idea (or is it just late on Friday?)
>Two possible Achilles heal with this approach is that the multihop bgp
session between the
>customer and the ISP's low end router may die under the flood of the
>attack.
> Also the low end router could drop it's IBGP peering if it
> becomes too flooded with the now redirected traffic.
I think an appropriately secured web-based interface would be better than
multihop-BGP trickery, for the 'death of the customer connection' reason.
I'd hope every responsible noc operator has at least 5 backup dialup
accounts on other people's networks to access the webpage through.
Perhaps the low-end router (or Zebra running box)on the ISPs side could
advertise the routes internally to the ISP network with an next-hop of a big
router that can take the pain (or a security box that can log the packets).
Alternatively, a route-map on each router in the network could null route
any route advertisement with a nullroute community (curses, thought of it a
couple of seconds too late :-)
Cheers,
Phil Sykes, Network Engineer
Cable & Wireless European IP Engineering
p: +49 89 92699 204 m: +49 172 89 79 727
More information about the NANOG
mailing list