Effective ways to deal with DDoS attacks?

Leo Bicknell bicknell at ufp.org
Thu May 2 02:15:44 UTC 2002


In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> Then you are pushing out /32's and peers would need to accept them.  Then
> someone will want to blackhole /30's, /29's, etc.  Route bloat.  Yum!

I'm not sure what form this would take, but I have long wished
route processing could be sent into a "programming language".  For
this specific example it would be nice to set a maximum number of
route limit for the total number of routes on the session, as well
as /per community/.

That is, community xxxx:666 == blackhole me, and I could limit each
peer to say, 6 of these at a time.  More would not take down the
session, but simply be ignored.

I can carry 6 /32's for every peer I have, and if they only have
6, they will probably use them for the most abusive target.

There are, of course, approximately an infinitate number more
applications for a more flexible mechanism.  Of course, it would
require more human smarts, which might be why vendors don't do it.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org



More information about the NANOG mailing list