[47283] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu May 2 00:40:21 2002
Date: Thu, 2 May 2002 04:39:12 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: dies <dies@pulltheplug.com>
Cc: Wojtek Zlobicki <wojtekz@idirect.com>, <measl@mfn.org>,
<nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.33.0205012011300.32456-100000@shell.pulltheplug.com>
Message-ID: <Pine.GSO.4.33.0205020437220.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 1 May 2002, dies wrote:
>
>
> Then you are pushing out /32's and peers would need to accept them. Then
> someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
>
Yes.
> Additionally you are creating a way to basically destroy the Internet as a
> whole. One kiddie gets ahold of a router, say of a large backbone
> provider, takes one of their aggregate blocks (/16? /10? /8?) and splits
> it into /32 announcements.
>
Or, blackhole the /16 :) more fun! (assuming no other smaller
announcements inside that /16 of course)
> Anyways, some providers already allow you to set a community on a route,
> and they will inturn "blackhole" it for you. I believe Teleglobe does
> this for some customers and I know UUNet does this for all customers.
Hmm, Mr. 'dies' is almost correct... if you are a UUNET customer and you
would like to do this please call the customer service center and they
will help you to configure this 'service'.
Thanks though Mr. 'dies' :)
>
> On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> >
> > > > What processes and/or tools are large networks using to
> > > > identify and limit the impact of DDoS attacks?
> > >
> > > A great deal of thought is being expended on this question, I am certain,
> > > however, how many of these thought campaings have born significant fruit
> > yet,
> > > I do not know.
> >
> > How about the following :
> >
> > We develop a new community , being fully transitive (666 would be
> > appropriate ) and either build into router code or create a route map to
> > null route anything that contains this community. The effect of this being
> > the distribution of the force of the attack.
> >
> > This aside, how effective would be using a no export community with ones
> > peers (being non transitive, it would still distribute the force of the
> > attack).
> >
> >
> >
>
