[102173] in North American Network Operators' Group
Re: Blackholing traffic by ASN
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Jan 31 00:23:02 2008
Date: Wed, 30 Jan 2008 21:21:57 -0800
From: "Christopher Morrow" <morrowc.lists@gmail.com>
To: deepak@ai.net
Cc: "Justin Shore" <justin@justinshore.com>, nanog@merit.edu
In-Reply-To: <47A10E51.6080109@ai.net>
Errors-To: owner-nanog@merit.edu
On Jan 30, 2008 3:54 PM, Deepak Jain <deepak@ai.net> wrote:
>
>
> This is prior art. (Assuming your hardware has a hardware blackhole (or
> you have a little router sitting on the end of a circuit)) you adjust
> your route-map that would deny the entry to set a community or next-hop
> pointing to your blackhole location.
>
> Nowadays, most equipment can blackhole internally (to null0 say) at full
> speed, so it isn't an issue. Just set your next hop to a good null0
> style location on route import and you are done for traffic destined to
> those locations.
>
...do uRPF-loose-mode and you kill FROM these locations as well...
> For inbound traffic from those locations you would need to do policy
> routing (because you are looking up on source). If you are trying to
(uRPF loose-mode)
> block SPAM or anything TCP related, you only need to block 1 direction
> to end the conversation.
>
be cautious of 'synflooding' your internal hosts with this though...
Null0 doesn't generate unreachables at packet-rate, but at a lower
(1:1000 I believe on cisco by default) rate.
> Sounds harsh, but hey, its your network.
>
wee! and for some extra fun, just append the bad-guy's ASN to your
route announcements, force bgp loop-detection to kill the traffic on
their end (presuming they don't default-route as well)
