[16154] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Forrest W. Christian)
Mon Apr 13 22:03:23 1998
Date: Mon, 13 Apr 1998 19:46:29 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@iMach.com>
To: Vadim Antonov <avg@pluris.com>
cc: Karl Denninger <karl@mcs.net>, Dean Anderson <dean@av8.com>,
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>, nanog@merit.edu
In-Reply-To: <3532B134.FE986DB4@pluris.com>
On Mon, 13 Apr 1998, Vadim Antonov wrote:
> Uh. Just modify BGP routes from that feed to have a next hop pointing
> to a black hole. route-maps are sometimes useful.
Could someone PLEASE explain to me how this is accomplished?
Let's assume that you do use a route-map to set next hop to a null
interface or a black hole or something for a prefix. AND set local pref
appropriately so that route gets preferred.
You now have a routing entry which essentially says:
"forward packets DESTINED FOR the evil network to the black hole".
What you really want is a routing entry which says:
"forward packets FROM the evil network to the black hole".
Now, if someone could enlighten me to a way which you can get BGP to make
a routing/filter entry to do this second one, I'd be most grateful.
BTW, I know you can do this with PERL or config scripts or whatever. The
point is that I don't think that a RBL-like blackhole feed will fix a
smurf attack from the "attacked" perspective, unless I have missed some
knob somewhere.
- Forrest W. Christian (forrestc@imach.com)
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com
Solutions for your high-tech problems. (406)-442-6648
----------------------------------------------------------------------
