[16157] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Tue Apr 14 00:43:11 1998
Date: Mon, 13 Apr 1998 21:33:39 -0700 (PDT)
From: Vadim Antonov <avg@pluris.com>
To: avg@pluris.com, forrestc@iMach.com
Cc: dean@av8.com, jra@scfn.thpl.lib.fl.us, karl@mcs.net, nanog@merit.edu
You're right, silly me.
--vadim
Forrest W. Christian <forrestc@iMach.com> wrote:
On Mon, 13 Apr 1998, Vadim Antonov wrote:
> Uh. Just modify BGP routes from that feed to have a next hop pointing
> to a black hole. route-maps are sometimes useful.
Could someone PLEASE explain to me how this is accomplished?
Let's assume that you do use a route-map to set next hop to a null
interface or a black hole or something for a prefix. AND set local pref
appropriately so that route gets preferred.
You now have a routing entry which essentially says:
"forward packets DESTINED FOR the evil network to the black hole".
What you really want is a routing entry which says:
"forward packets FROM the evil network to the black hole".
Now, if someone could enlighten me to a way which you can get BGP to make
a routing/filter entry to do this second one, I'd be most grateful.
BTW, I know you can do this with PERL or config scripts or whatever. The
point is that I don't think that a RBL-like blackhole feed will fix a
smurf attack from the "attacked" perspective, unless I have missed some
knob somewhere.
- Forrest W. Christian (forrestc@imach.com)
