[102271] in North American Network Operators' Group
RE: Blackholes and IXs and Completing the Attack.
daemon@ATHENA.MIT.EDU (Alex Pilosov)
Sun Feb 3 04:25:51 2008
Date: Sun, 3 Feb 2008 04:13:38 -0500 (EST)
From: Alex Pilosov <alex@pilosoft.com>
To: "Tomas L. Byrnes" <tomb@byrneit.net>
cc: nanog@merit.edu
In-Reply-To: <70D072392E56884193E3D2DE09C097A9EE5A@pascal.zaphodb.org>
Errors-To: owner-nanog@merit.edu
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote:
> I sincerely doubt that any backbone provider will filter at a /32. That
> means they have to check EVERY PACKET AT FULL IP DEST against your AS
> advertised routes. Since most backbone routers build circuits at the /18
> and above mask on MPLS, just to keep up with traffic, I sincerely doubt
> they are going to expend the CPU, and potentially RAM, never mind prefix
> table entries (you know, those things we're running out of) to have a
> full table of every host that every hoster says is being DDOSed. In this
> case, there's a clear economic cost, for no economic benefit (they do
> actually make money delivering that DDOS traffic).
"most backbone routers build circuits at the /18 and above mask on MPLS" -
that part is seriously funny.
However:
a) Yes, if such proposal was to be widely accepted, it would generate more
entries in RIB/FIB.
b) However, if this service was actually operated by IX's, the limits to
prevent "too much" growth could be applied centrally (max-prefixes per
ASN, automatic removal of those routes after X days, unless manually
requested by host, etc).
c) Since only your peers will have those :666 entries, it is less "route
growth" than than the alternative of announcing the affected block as /24
(which you seem to suggest).
> A better approach would be to move your DDOS target and all the rest of
> its co-subnet hosts into a different /24, update the DNS RRs, and cease
> advertising that /24.
That...is...perverted. Not to mention, you can't "cease advertising /24".
what you would need to do is to deaggregate your (say) /20 into /21, /22,
/23 and /24. That's 3 extra entries in FIB for everyone in the world to
carry.
> If you really want to be nice, they don't need to renumber, you just
> need to stop advertising the target subnet, change the DNS RR's and NAT
> at your borders, if you control DNS and IP. The added benefit of this is
> that you can swap them back when the DDOs is over, and they get to stay
> up while it's happening. All you need to do this is some spare, never to
> be allocated, IP space.
That...is...perverted.
-alex [not speaking as mlc anything]
