[68132] in North American Network Operators' Group
Re: UUNet Offer New Protection Against DDoS
daemon@ATHENA.MIT.EDU (Danny McPherson)
Wed Mar 3 15:48:22 2004
In-Reply-To: <20040303132439.A7594@karate.mirrored.ca>
From: Danny McPherson <danny@tcb.net>
Date: Wed, 3 Mar 2004 13:37:34 -0700
To: NANOG <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Mar 3, 2004, at 11:24 AM, Stephen Perciballi wrote:
>
> To the best of my knowledge, MCI/UUNET ~was~ the first to implement
> this. I've
> been using it for well over a year now.
Indeed. One could even get "fancy" and set of different community
sets to allow customers to drop traffic only on peering routers (as
opposed to customer or all routers, etc..). The "Customer-Triggered
Real Time Blackhole" tutorial that Chris, Tim and I gave in Miami
talks about how to go about doing this.
One step further is uRPF coupling with blackhole routing for sourced-
based drops, though I suspect you probably won't want to do this
with customers :-)
Finally, the BGP Flow Specification stuff provides a start at a more
granular BGP-based method by employing new AFI/SAFI. If you've got
feedback please pass it along.
http://www.tcb.net/draft-marques-idr-flow-spec-00.txt
-danny
