[31462] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Troy Davis)
Sun Sep 24 16:00:02 2000
Date: Sun, 24 Sep 2000 12:58:05 -0700
From: Troy Davis <troy@nack.net>
To: "James A. T. Rice" <James_R-nanog@jump.org.uk>
Cc: Bill Fumerola <billf@chimesnet.com>,
"Greg A. Woods" <woods@weird.com>, nanog@merit.edu
Message-ID: <20000924125805.A18472@nack.net>
Mail-Followup-To: Troy Davis <troy@nack.net>,
"James A. T. Rice" <James_R-nanog@jump.org.uk>,
Bill Fumerola <billf@chimesnet.com>,
"Greg A. Woods" <woods@weird.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSO.4.21.0009242018120.21447-100000@marvin.jump.org.uk>; from James_R-nanog@jump.org.uk on Sun, Sep 24, 2000 at 08:21:45PM +0100
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 24 Sep 2000, James A. T. Rice <James_R-nanog@jump.org.uk> wrote:
> Why aggregrate ? You could just announce the /32's of the actual broadcast
> addresses, and cause much less damage to other resources on that network.
/32 announcements filter the pre-amplification (attacker -> amplifier)
traffic, which very likely takes a different path than post-amplification
(amplifier -> victim) traffic. Since using 1.2.3.255 as an amplifier can
result in responses from other IPs within 1.2.3.0/24 (and occasionally
even other netblocks), if the attacker <-> amplifier path doesn't accept
the BGP feed, the attack will happen regardless of whether the victim's
upstream accepts the BGP feed.
The /24 announcements filter [most of] the actual flood as well as the
amplifiers.
> Also if you do aggregrate, your blackhole route will probabally be less
> specific then the 'real' route, so the 'real' route and not the blackhole
> one is what would get used.
Good point. Unaggregated /24s would be the way to go. To keep the
number of routes managable, we would probably announce just those with a
high amplification ( > 10x).
Cheers,
Troy
