[47272] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed May 1 22:16:39 2002
Date: Wed, 1 May 2002 22:15:44 -0400
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@merit.edu
Message-ID: <20020502021544.GA31943@ussenterprise.ufp.org>
Mail-Followup-To: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0205012011300.32456-100000@shell.pulltheplug.com>
Errors-To: owner-nanog-outgoing@merit.edu
In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> Then you are pushing out /32's and peers would need to accept them. Then
> someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
I'm not sure what form this would take, but I have long wished
route processing could be sent into a "programming language". For
this specific example it would be nice to set a maximum number of
route limit for the total number of routes on the session, as well
as /per community/.
That is, community xxxx:666 == blackhole me, and I could limit each
peer to say, 6 of these at a time. More would not take down the
session, but simply be ignored.
I can carry 6 /32's for every peer I have, and if they only have
6, they will probably use them for the most abusive target.
There are, of course, approximately an infinitate number more
applications for a more flexible mechanism. Of course, it would
require more human smarts, which might be why vendors don't do it.
--
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
