Last-call DoS/DoS Attack BCOP

Rob Seastrom rs at seastrom.com
Tue Mar 24 09:27:30 UTC 2015


John Kristoff <jtk at cymru.com> writes:

> If the attack is an infrastructure attack, say a routing interface that
> wouldn't normally receive or emit traffic from its assigned address
> except perhaps for network connectivity testing (e.g. traceroute) or
> control link local control traffic (e.g. local SPF adjacencies, BGP
> neighbors), you can "hide" those addresses, making them somewhat less
> easy to target by using something like unnumbered or unadvertised or
> ambiguous address space (e.g. RFC 1918).

That comes at a cost, both operational/debugging and breaking pmtud.
But if you don't care about collateral damage, setting the interface to
admin-down stops attacks against it *cold*.

Due to the drawbacks, I wouldn't consider this a good candidate for
inclusion in a BCOP document.

I have often thought there ought to be a companion series for
Questionable Current Operational Practices, or maybe "desperate
measures".  I volunteer to write the article on "YOLO upgrades",
wherein one loads untested software on equipment with no OOB, types
"request system reboot", shouts "YOLO", and hits return.

-r



More information about the NANOG mailing list