attacking DDOS using BGP communities?

Saku Ytti saku+nanog at ytti.fi
Thu Oct 17 21:23:06 UTC 2002


How feasible would these ideas be?

1) Signaling unwanted traffic.
   You would set community which would just inform that you are receiving
unwanted traffic. This way responsible AS# with statistical netflow
could easily automaticly search for these networks and report to NOC if
both there is increased traffic to them and community is on.

-would it be affective at all? Could your netflow parser use it easily?
+wouldn't need big changes

2) 'TTL' community.
   You would have ~10 communities representing how many AS hops until route
should not be advertised anymore. If you would experience DOS you'd start
from TTL 1 and increase until DOS flow starts again, with any luck you 
would end up having very limited amount of AS# to communicate with
in hopes of fixing their anti-spoofing filters and to catch malicious
party.

-just think about the amount of route-maps :>
-you would need to flap the network possible 10 times == damped
+some idea who to contact w/o co-operation of NOCs (can be hard)
+wins you time, often DOS is over before you've reached 3rd AS number
  to ask where the traffic is originating.

3) 'null route' community.
   This would only be useful if it would mean that you are also accepting
more spesific annoucement, preferally even /32. Most people are propably
crying about the idea already, but if you plan it wisely with prefix-limit
setting it might not be suicide. Just remember that all downstream
prefix-limit+your prefices must be smaller than what your upstream has
set for prefix-limit, if this is not done then your downstreams can
effectively trigger your upstream prefix-limit killing your connectivity.
How AS handles the 'null route' community could vary, others set 
next-hop to null0 other might set it to analyzer tool. Just that it
shouldn't reach the other end anymore.

-the obvious: explosion of global bgp routing table (no, not nececcarily)
+effective, you'd instantly free your link from any DOS traffic to given
destination.
-- 
  ++ytti



More information about the NANOG mailing list