Blackholing traffic by ASN

• Previous message (by thread): Blackholing traffic by ASN
• Next message (by thread): Blackholing traffic by ASN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 30, 2008 3:54 PM, Deepak Jain <deepak at ai.net> wrote:
>
>
> This is prior art. (Assuming your hardware has a hardware blackhole (or
> you have a little router sitting on the end of a circuit)) you adjust
> your route-map that would deny the entry to set a community or next-hop
> pointing to your blackhole location.
>
> Nowadays, most equipment can blackhole internally (to null0 say) at full
> speed, so it isn't an issue. Just set your next hop to a good null0
> style location on route import and you are done for traffic destined to
> those locations.
>

...do uRPF-loose-mode and you kill FROM these locations as well...

> For inbound traffic from those locations you would need to do policy
> routing (because you are looking up on source). If you are trying to

(uRPF loose-mode)

> block SPAM or anything TCP related,  you only need to block 1 direction
> to end the conversation.
>

be cautious of 'synflooding' your internal hosts with this though...
Null0 doesn't generate unreachables at packet-rate, but at a lower
(1:1000 I believe on cisco by default) rate.

> Sounds harsh, but hey, its your network.
>

wee! and for some extra fun, just append the bad-guy's ASN to your
route announcements, force bgp loop-detection to kill the traffic on
their end (presuming they don't default-route as well)

• Previous message (by thread): Blackholing traffic by ASN
• Next message (by thread): Blackholing traffic by ASN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]