engineering --> ddos and flooding

• Previous message (by thread): engineering --> ddos and flooding
• Next message (by thread): engineering --> ddos and flooding
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 14:36 01/06/01 -0400, Mark Mentovai wrote:

>Walter Prue wrote:
> >I came up with a solution for networks with ISP connections to deal
> >quickly with DDOS attacks without having to be able to work with a
> >network technician at the ISP for immediate relief.  If the ISP agrees,
> >install a second low speed connection to the same router your primary
> >router BGP peers with.  Through this low speed connection you run a
> >second bgp session advertising the /32 that is being attacked by the
> >DDOS.  You mark the /32 as NO-ADVERTISE so the route doesn't leave the
> >border router.
>
>Or, without adding an extra connection, negotiate a NULLROUTE community with
>your upstream provider.  This would be a wonderful addition to the
>well-known BGP communities.  I'll bring this up on IDR.

Assuming not adding the extra connection, this means that upstream prefix 
filtering, so that one can't mistakenly inject 255 /24s rather than a 
single /16, would go out the window.  Now think about /32s and what the 
routing tables will start to look like.  Now consider that the upstream 
would also want to send to its upstream Tier-1 the NULLROUTE /32 as well so 
that his bandwidth is not eaten up as well and we have a situation whereby 
routing table size will triple in size every year.

-Hank


>Mark

• Previous message (by thread): engineering --> ddos and flooding
• Next message (by thread): engineering --> ddos and flooding
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]