Securing Border Routers

Ryan Shea ryanshea at
Wed Jan 19 19:11:08 CST 2011

A stateful firewall outside of your router may create a new bottleneck which
increases your risk of DoS. Making sure that you know (and document, and
test) how to effectively contact your service providers should you be
attacked would be a good idea. Find out if your service providers have BGP
communities for remote triggered black hole (document and test). A denial of
service will break the weakest link in the chain toward your services, so
make sure you have appropriate bandwidth, a reasonable server architecture,
and if you have money to burn consider a DDoS mitigation service.


On Wed, Jan 19, 2011 at 7:35 PM, Brandon Kim < at>wrote:

> Gents:
> What measures do you take to protect your border routers? Our routers are
> running BGP so I'm interested
> if there is any way to secure them without interfering with BGP? Is it
> normal to put a firewall in front of the
> border routers?
> I'm concerned about DDOS attacks mainly....although we haven't had any, I
> don't welcome them.....
> Brandon

More information about the NANOG mailing list