[47274] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Wed May 1 22:23:23 2002
Date: Wed, 1 May 2002 22:22:42 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: nanog@merit.edu
Message-ID: <20020502022242.GD523@overlord.e-gerbil.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020502021544.GA31943@ussenterprise.ufp.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, May 01, 2002 at 10:15:44PM -0400, Leo Bicknell wrote:
>
> In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> > Then you are pushing out /32's and peers would need to accept them. Then
> > someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
>
> I'm not sure what form this would take, but I have long wished
> route processing could be sent into a "programming language". For
> this specific example it would be nice to set a maximum number of
> route limit for the total number of routes on the session, as well
> as /per community/.
Agreed wholeheartedly. But then you'd have to have network engineers who
could program (and no perl doesn't count). :)
> That is, community xxxx:666 == blackhole me, and I could limit each
> peer to say, 6 of these at a time. More would not take down the
> session, but simply be ignored.
>
> I can carry 6 /32's for every peer I have, and if they only have
> 6, they will probably use them for the most abusive target.
I give it 2 months, then they'll start hitting random dst IPs in a target
prefix (say a common /24 going through the same path).
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
