ICANN Targets DDoS Attacks

• Previous message (by thread): ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 >> -----> a very small percentage cud be blocked if u were willing to link
>> this to BGP learnt networks..at least those are "complete networks", not
>> subnetted....
>>
>> ofcourse its a very small portion, mebbe u cud ask guys to send more
>> specific BGP routes from now....

I am assuming you mean 'mark /32's for broadcast addresses as specifics
in BGP', or 'propogate subnets in BGP which are the actual networks
as more specifics in which case the broadcast address (& network
address) are obvious'.

But if you are clueful enough to determine which downstream (possibly
customer) IPs are broadcast, and those still have directed broadcast
switched on (for instance as customer claims it's "impossible" to
turn off), then why not just drop all traffic to them rather than
push the routes around.

I have never had customers (used as reflectors) complain that traffic
to their network/broadcast addresses was dropped. In 'a network
with which I was involved', this was standard response if customers
didn't block directed broadcasts quickly. I seem to recall we used
exactly the same blackholing technique (propogate /32s internally
in BGP only with community tag to ensure traffic is next-hopped
to the bit bucket) as we used to drop other malicious traffic,
so it all got dropped at the border rather than at the CPE.

Alex Bligh

• Previous message (by thread): ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]