Last-call DoS/DoS Attack BCOP
mcole.mailinglists at gmail.com
Tue Mar 24 13:29:00 UTC 2015
On 3/24/15 5:27 AM, Rob Seastrom wrote:
> John Kristoff <jtk at cymru.com> writes:
>> If the attack is an infrastructure attack, say a routing interface that
>> wouldn't normally receive or emit traffic from its assigned address
>> except perhaps for network connectivity testing (e.g. traceroute) or
>> control link local control traffic (e.g. local SPF adjacencies, BGP
>> neighbors), you can "hide" those addresses, making them somewhat less
>> easy to target by using something like unnumbered or unadvertised or
>> ambiguous address space (e.g. RFC 1918).
> That comes at a cost, both operational/debugging and breaking pmtud.
> But if you don't care about collateral damage, setting the interface to
> admin-down stops attacks against it *cold*.
> Due to the drawbacks, I wouldn't consider this a good candidate for
> inclusion in a BCOP document.
> I have often thought there ought to be a companion series for
> Questionable Current Operational Practices, or maybe "desperate
> measures". I volunteer to write the article on "YOLO upgrades",
> wherein one loads untested software on equipment with no OOB, types
> "request system reboot", shouts "YOLO", and hits return.
You could have a whole blog series about redistributing BGP into IGPs.
Or a "tricks and tips" section to add an allow any to all of your ACLs.
More information about the NANOG