UUNet Offer New Protection Against DDoS
Lumenello, Jason
jlumenello at xo.com
Wed Mar 3 22:51:35 UTC 2004
I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks le /32. The following
terms (term 2 and above) in the route-map which do NOT look for the
customer discard community, have a different standard/generic
prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le
24.
By doing this, I only accept a customer /32 from his dedicated
prefix-list when it has the DOS discard community, otherwise I catch
them with the ge 8 le 24 in the following terms.
Jason Lumenello
IP Engineering
XO Communications
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
Of
> Stephen J. Wilcox
> Sent: Wednesday, March 03, 2004 3:48 PM
> To: james
> Cc: nanog at merit.edu
> Subject: Re: UUNet Offer New Protection Against DDoS
>
>
>
> I'm puzzled by one aspect on the implementation.. how to build your
> customer
> prefix filters.. that is, we have prefix-lists for prefix and length.
> Therefore
> at present we can only accept a tagged route for a whole block.. not
good
> if the
> announcement is a /16 etc !
>
> Now, I could do as per the website at secsup.org which means we have a
> route-map
> entry to match the community before the filtering .. but that would
allow
> the
> customer to null route any ip.
>
> What we need is one to allow them to announce any route including more
> specifics of the prefix list - how are folks doing this?
>
> Steve
>
> On Wed, 3 Mar 2004, james wrote:
>
> >
> > Global Crossing has this, already in production.
> > I was on the phone with Qwest yesterday & this was one
> > of this things I asked about. Qwest indicated they are
> > going to deploy this shortly. (i.e., send routes tagged with
> > a community which they will set to null)
> >
> >
> > James Edwards
> > Routing and Security
> > jamesh at cybermesa.com
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > 505-988-9200 SIP:1(747)669-1965
> >
> >
More information about the NANOG
mailing list