UUNet Offer New Protection Against DDoS
James
haesu at towardex.com
Thu Mar 4 09:23:27 UTC 2004
in our case, we do the following setup:
1. allow up to /32 within customer's prefix(es)
2. check for 27552:666 (null comm), if matched, set to null'd nexthop
3. now match any prefixes that are longer than /22 on 0.0.0.0/1,
that are longer than /22 on 128.0.0.0/2, that are longer than /24
on 192.0.0.0/3. if any of these longer prefixes are matched, tag
them with 27552:31337 (which is our equivalent of no-export).
If a customer has a legitimate reason to send a /24 within say,
0.0.0.0/1, then we can always override it by adding a deny rule to
the matching prefix-list used by the route-map.
4. finally, add maximum-prefix limit to 500
I'll be more than glad to provide config template if anyone is interested. Also
have ipv6 version of it as well if interested.
-J
On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:
>
> > > I'm puzzled by one aspect on the implementation.. how to build your customer
> > > prefix filters.. that is, we have prefix-lists for prefix and length.
> > > Therefore at present we can only accept a tagged route for a whole block..
> > > not good if the announcement is a /16 etc !
> >
> > MCI handles this by only filtering on prefix, not length. Well,
> > allowing you to only announce up to your length, not shorter, but
> > longer is allowed.
>
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in
> addition we have an extra filter which overrides anything that would deny
> anything longer than a /24. I'm not keen to change that.. LART appears to have
> little or no effect with my customers, preemption appears to be the only way!
>
> Steve
>
>
> > > Now, I could do as per the website at secsup.org which means we have a
> > > route-map
> > > entry to match the community before the filtering .. but that would
> > > allow the
> > > customer to null route any ip.
> > >
> > > What we need is one to allow them to announce any route including more
> > > specifics of the prefix list - how are folks doing this?
> >
> > It's not hard. I think the old UUNET just used standard ACLs (1->99).
> > :) But with prefix filters, you can set gt & lt prefix lengths on the
> > filters trivially.
> >
> > Of course, your customers can then deaggregate to their hearts content.
> > If they do, you should hunt them down and LART them. But it is useful
> > for some things, especially when combined with no_export, the
> > black-hole communities, or other communities.
> >
> >
--
James Jun TowardEX Technologies, Inc.
Technical Lead Network Design, Consulting, IT Outsourcing
james at towardex.com Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
More information about the NANOG
mailing list