[38360] in North American Network Operators' Group
Re: engineering --> ddos and flooding
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Mon Jun 4 00:14:13 2001
Message-Id: <4.3.2.7.2.20010604070720.00ab9620@max.att.net.il>
Date: Mon, 04 Jun 2001 07:13:23 +0200
To: Mark Mentovai <mark-list@mentovai.com>,
Walter Prue <prue@ISI.EDU>
From: Hank Nussbacher <hank@att.net.il>
Cc: <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0106011432450.449-100000@oak.ggn.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 14:36 01/06/01 -0400, Mark Mentovai wrote:
>Walter Prue wrote:
> >I came up with a solution for networks with ISP connections to deal
> >quickly with DDOS attacks without having to be able to work with a
> >network technician at the ISP for immediate relief. If the ISP agrees,
> >install a second low speed connection to the same router your primary
> >router BGP peers with. Through this low speed connection you run a
> >second bgp session advertising the /32 that is being attacked by the
> >DDOS. You mark the /32 as NO-ADVERTISE so the route doesn't leave the
> >border router.
>
>Or, without adding an extra connection, negotiate a NULLROUTE community with
>your upstream provider. This would be a wonderful addition to the
>well-known BGP communities. I'll bring this up on IDR.
Assuming not adding the extra connection, this means that upstream prefix
filtering, so that one can't mistakenly inject 255 /24s rather than a
single /16, would go out the window. Now think about /32s and what the
routing tables will start to look like. Now consider that the upstream
would also want to send to its upstream Tier-1 the NULLROUTE /32 as well so
that his bandwidth is not eaten up as well and we have a situation whereby
routing table size will triple in size every year.
-Hank
>Mark
