attacking DDOS using BGP communities?

• Previous message (by thread): attacking DDOS using BGP communities?
• Next message (by thread): vrf resources?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:12 AM 22-10-02 +0200, Iljitsch van Beijnum wrote:

>Ok, I'm a bit late to the party but...
>
>On Fri, 18 Oct 2002, Saku Ytti wrote:
>
> > 1) Signaling unwanted traffic.
> >    You would set community which would just inform that you are receiving
> > unwanted traffic. This way responsible AS# with statistical netflow
> > could easily automaticly search for these networks and report to NOC if
> > both there is increased traffic to them and community is on.
>
>Interesting idea. However, if people still don't bother to implement
>filters that make sure spoofed source addresses don't escape their
>network, will they do this?
>
> > 2) 'TTL' community.
> >    You would have ~10 communities representing how many AS hops until route
> > should not be advertised anymore. If you would experience DOS you'd start
> > from TTL 1 and increase until DOS flow starts again, with any luck you
> > would end up having very limited amount of AS# to communicate with
> > in hopes of fixing their anti-spoofing filters and to catch malicious
> > party.
>
>Also interesting. I've been thinking about something similar for traffic
>engineering: a more specific announcement could disappear after 3 AS hops
>or so.
>
> > 3) 'null route' community.
> >    This would only be useful if it would mean that you are also accepting
> > more spesific annoucement, preferally even /32. Most people are propably
> > crying about the idea already, but if you plan it wisely with prefix-limit
> > setting it might not be suicide. Just remember that all downstream
> > prefix-limit+your prefices must be smaller than what your upstream has
> > set for prefix-limit, if this is not done then your downstreams can
> > effectively trigger your upstream prefix-limit killing your connectivity.
>
>Wouldn't it be enough to have this null route community in effect in your
>upstream network?
>
>The big disadvantage is that you're giving in to the DoS attack because
>the target address becomes unreachable.
>
>I've been thinking about a more advanced way of doing this where you
>redirect the traffic towards an affected host to some "filter box" that
>would then clean it up. See http://www.bgpexpert.com/antidos.php

This is essentially the concept behind Riverhead Networks 
(www.riverhead.com) - diverting the traffic to a specialized hardware box 
on the side, clean out the DDOS traffic and reinject the cleaned traffic 
back into the normal data path.

-Hank Nussbacher
hank at riverhead.com
Consultant
Riverhead Networks


>Iljitsch van Beijnum

• Previous message (by thread): attacking DDOS using BGP communities?
• Next message (by thread): vrf resources?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]