Effective ways to deal with DDoS attacks?
Leo Bicknell
bicknell at ufp.org
Thu May 2 02:15:44 UTC 2002
In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> Then you are pushing out /32's and peers would need to accept them. Then
> someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
I'm not sure what form this would take, but I have long wished
route processing could be sent into a "programming language". For
this specific example it would be nice to set a maximum number of
route limit for the total number of routes on the session, as well
as /per community/.
That is, community xxxx:666 == blackhole me, and I could limit each
peer to say, 6 of these at a time. More would not take down the
session, but simply be ignored.
I can carry 6 /32's for every peer I have, and if they only have
6, they will probably use them for the most abusive target.
There are, of course, approximately an infinitate number more
applications for a more flexible mechanism. Of course, it would
require more human smarts, which might be why vendors don't do it.
--
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
More information about the NANOG
mailing list