RIPE NCC publishes case study of youtube.com hijack

Jeff Aitken jaitken at aitken.com
Fri Feb 29 18:14:23 UTC 2008


On Fri, Feb 29, 2008 at 06:46:15AM -0800, David Ulevitch wrote:
> The point is -- Restrictive customer filtering can also bite you in the 
> butt.  Trying to require your providers to do a "ge 19 le 25" (or 
> whatever your largest supernet is), rather than filters for specific 
> prefix sizes seems a worthwhile endeavor so you can de-aggregate on the 
> fly, as necessary.

If you support community-based blackholes, your customers want/need to be
able to advertise up to /32.  At a previous job we defined customer
prefix-filters as "prefix/mask upto 32" and then applied a reasonable
max-prefix setting[1].  This allowed customers to send us a reasonable 
number of deaggregates for blackholing or TE purposes but protected us
from a full-on leak/deaggregation event.  Needless to say, each prefix
with a mask longer then /24 was tagged with no-export as well, so those
longer prefixes weren't propagated beyond our network.

[1] We had a limited number of customer buckets... IIRC something like 2500,
5000, 15000, and 25000.  That keeps the number of different configurations
to a minimum number but still gives adequate protection.


--Jeff




More information about the NANOG mailing list