attacking DDOS using BGP communities?

Iljitsch van Beijnum iljitsch at muada.com
Tue Oct 22 07:12:37 UTC 2002


Ok, I'm a bit late to the party but...

On Fri, 18 Oct 2002, Saku Ytti wrote:

> 1) Signaling unwanted traffic.
>    You would set community which would just inform that you are receiving
> unwanted traffic. This way responsible AS# with statistical netflow
> could easily automaticly search for these networks and report to NOC if
> both there is increased traffic to them and community is on.

Interesting idea. However, if people still don't bother to implement
filters that make sure spoofed source addresses don't escape their
network, will they do this?

> 2) 'TTL' community.
>    You would have ~10 communities representing how many AS hops until route
> should not be advertised anymore. If you would experience DOS you'd start
> from TTL 1 and increase until DOS flow starts again, with any luck you
> would end up having very limited amount of AS# to communicate with
> in hopes of fixing their anti-spoofing filters and to catch malicious
> party.

Also interesting. I've been thinking about something similar for traffic
engineering: a more specific announcement could disappear after 3 AS hops
or so.

> 3) 'null route' community.
>    This would only be useful if it would mean that you are also accepting
> more spesific annoucement, preferally even /32. Most people are propably
> crying about the idea already, but if you plan it wisely with prefix-limit
> setting it might not be suicide. Just remember that all downstream
> prefix-limit+your prefices must be smaller than what your upstream has
> set for prefix-limit, if this is not done then your downstreams can
> effectively trigger your upstream prefix-limit killing your connectivity.

Wouldn't it be enough to have this null route community in effect in your
upstream network?

The big disadvantage is that you're giving in to the DoS attack because
the target address becomes unreachable.

I've been thinking about a more advanced way of doing this where you
redirect the traffic towards an affected host to some "filter box" that
would then clean it up. See http://www.bgpexpert.com/antidos.php

Iljitsch van Beijnum




More information about the NANOG mailing list