UUNet Offer New Protection Against DDoS

Lumenello, Jason jlumenello at xo.com
Wed Mar 3 21:15:44 UTC 2004


XO set up a similar customer community last year for our customers to
trigger their own black hole at our edge. There is no such thing as an
original idea. :) This "promised response" probably means if you press 3
on your phone, you will get a CSR to open a ticket within 15 minutes.
Sounds like nice marketing.

Jason

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
Of
> Stephen Perciballi
> Sent: Wednesday, March 03, 2004 12:25 PM
> To: Andy Ellifson
> Cc: nanog at merit.edu
> Subject: Re: UUNet Offer New Protection Against DDoS
> 
> 
> 
> To the best of my knowledge, MCI/UUNET ~was~ the first to implement
this.
> I've
> been using it for well over a year now.
> 
> The community is 701:9999.  Any route you tag with that community gets
> dropped
> accross the entire 701 edge.  Feel free to contact support and tell
them
> you
> want to setup the blackhole community if you are having any troubles.
> 
> [Wed, Mar 03, 2004 at 08:34:00AM -0800]
> Andy Ellifson Inscribed these words...
> 
> 
> >
> > When I first saw this post I thought that MCI/UU.Net implemented
some
> DDOS
> > BGP community strings like CW implemented a month ago.  If only all
of
> my
> > upstreams would have this type of BGP Community string my life would
be
> made
> > easier.  Here is the customer release letter from from CW dated
Januray
> 23,
> > 2004:
> >
> > Dear Customer,
> >
> > If you have received this email, you are either a direct customer of
> > AS3561, (i.e. you have registered a route object for a customer of
> AS3561),
> > or are listed in the maintainer of a customer of AS3561.
> >
> > AS3561 has implemented a blackhole/DDoS community string based
solution
> to
> > aid customers in the mitigation of DoS attacks. If you are currently
> running
> > BGP with us, you will be able to use this feature.
> >
> > If you advertise a prefix (route) to us with the community string
> > 3561:666, we will NULL route or 'blackhole' all traffic destined to
that
> > prefix. The prefixes accepted are based on the current prefix-list
> generated
> > for you. Instead of doing exact match filtering, we will accept any
> prefix
> > (more "specific") within your address block(s). e.g. if you have
> > 192.168.0.0/16 registered, we will accept 192.168.0.0/16 upto /32 as
> long as
> > the 3561:666 community string is attached.
> >
> > Please ensure you are configured to send community strings and
> understand
> > the impact of errant advertisements. Diligence should be used when
> > administrating this feature. Once the prefix is received and
propagated
> > within AS3561, all traffic destined to the prefix will be discarded
and
> the
> > blackholing of traffic will continue as long as DDoS community
string is
> > being advertised. Neither Cable & Wireless nor AS3561 will be held
> liable
> > or responsible for customers who errantly advertise prefixes with
the
> > blackhole community string.
> >
> > If you wish to utilize this feature, you can verify our acceptance
of
> the
> > advertised prefix by querying the AS3561 route server located at
> > http://lg.cw.net.
> >
> > Please remember, we require you to complete a priority one incident
> report
> > at http://www.security.cw.net (Report an Incident) and include
details
> of the
> >
> > attack. An email describing further details of the attack can be
sent to
> > security at cw.net, please include the incident report number in the
> subject to
> > assist in the tracking and documentation of the incident. This will
> ensure
> > the attack is properly administrated handled by our Security and
Legal
> > Groups.
> >
> >
> >
> > --- John Obi <dalnetuzer at yahoo.com> wrote:
> > > Hello Nanogers!
> > >
> > > I'm happy to see this, and I hope C&W, Verio, and Level3 ..etc
will do
> the
> > > same!
> > >
> > > MCI/WorldCom Monday unveiled a new service level agreement (SLA)
to
> help IP
> > > services customers thwart and defend against Internet viruses and
> threats.
> > >
> > > http://informationweek.securitypipeline.com/news/18201396
> > >
> > > It's the right time before it's too late!
> > >
> > > Regards,
> > >
> > > -J
> > >
> > >
> > > ---------------------------------
> > > Do you Yahoo!?
> > > Yahoo! Search - Find what you're looking for faster.
> >
> 
> --
> 
> Stephen (routerg)
> irc.dks.ca



More information about the NANOG mailing list