[58414] in North American Network Operators' Group
Re: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon May 12 16:31:54 2003
Date: Mon, 12 May 2003 20:29:32 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Stefan Mink <mink@schlund.net>
Cc: Haesu <haesu@towardex.com>, jtk@aharp.is-net.depaul.edu,
nanog@merit.edu
In-Reply-To: <20030512095552.GA24293@schlund.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 12 May 2003, Stefan Mink wrote:
> On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote:
> > you could hold blackhole routes for these destinations in your route table
> > (local or bgp) So long as the destination for the source is bad (null for
> > instance) the traffic would get dropped. I believe the proper terms from
> > cisco for this are: "So long as the adjacency is invalid" ...
>
> is there a way to make this source-blackhole-routing work
> on J's too (does this work with discard-routes too)?
>
I believe someone from Juniper should likely answer this question :) As I
understand the setup from a Cisco perspective (and someone from Cisco can
correct me if I get it wrong). uRPF works in such a way that if the source
address's destination has an invalid FIB entry (or no entry, or Null0) the
packets are dropped.
Perhaps Juniper implemented it this way? I have not checked anymore
closely than this. Sorry. :(
