[47510] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Lincoln Dale)
Sun May 5 04:09:24 2002
Message-Id: <5.1.0.14.2.20020505180138.03241008@mail.interlink.com.au>
Date: Sun, 05 May 2002 18:09:23 +1000
To: "Christopher L. Morrow" <chris@UU.NET>
From: Lincoln Dale <ltd@interlink.com.au>
Cc: Stephen Griffin <stephen.griffin@rcn.com>,
Iljitsch van Beijnum <iljitsch@muada.com>, <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0205050329300.11583-100000@rampart.argfrp.us
.uu.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 03:34 AM 5/05/2002 +0000, Christopher L. Morrow wrote:
>I was hoping someone else might mention this, BUT what about the case of
>customers providing transit for outbound but not inbound traffic for their
>customers?
two methods:
[1] if your customer has their own AS, have them route the (valid) networks
to you with the no-export bgp attribute set.
[2] if they're not BGP connected, then surely you have some idea of what
subnet(s)
they're sending traffic out from? (i hope so).
if so, then you'd have static-routes for those subnets pointing at
their interface.
you don't necessarily have to include those static-routes in
announcements to
your peers.
both of [1] & [2] may mean that more traffic may 'prefer' the link from you
to the customer. (probably doubly so given you're uunet and the amount of
transit that goes thru you). in that case, perhaps using the no-advertise
community so that the route stays 'local' to a router (or local to a city)
will prove sufficient.
cheers,
lincoln.
