[68174] in North American Network Operators' Group
Re: UUNet Offer New Protection Against DDoS
daemon@ATHENA.MIT.EDU (James)
Thu Mar 4 04:24:09 2004
Date: Thu, 4 Mar 2004 04:23:27 -0500
From: James <haesu@towardex.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: "Patrick W.Gilmore" <patrick@ianai.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0403032220260.15621-100000@server2.tcw.telecomplete.net>
Errors-To: owner-nanog-outgoing@merit.edu
in our case, we do the following setup:
1. allow up to /32 within customer's prefix(es)
2. check for 27552:666 (null comm), if matched, set to null'd nexthop
3. now match any prefixes that are longer than /22 on 0.0.0.0/1,
that are longer than /22 on 128.0.0.0/2, that are longer than /24
on 192.0.0.0/3. if any of these longer prefixes are matched, tag
them with 27552:31337 (which is our equivalent of no-export).
If a customer has a legitimate reason to send a /24 within say,
0.0.0.0/1, then we can always override it by adding a deny rule to
the matching prefix-list used by the route-map.
4. finally, add maximum-prefix limit to 500
I'll be more than glad to provide config template if anyone is interested. Also
have ipv6 version of it as well if interested.
-J
On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:
>
> > > I'm puzzled by one aspect on the implementation.. how to build your customer
> > > prefix filters.. that is, we have prefix-lists for prefix and length.
> > > Therefore at present we can only accept a tagged route for a whole block..
> > > not good if the announcement is a /16 etc !
> >
> > MCI handles this by only filtering on prefix, not length. Well,
> > allowing you to only announce up to your length, not shorter, but
> > longer is allowed.
>
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in
> addition we have an extra filter which overrides anything that would deny
> anything longer than a /24. I'm not keen to change that.. LART appears to have
> little or no effect with my customers, preemption appears to be the only way!
>
> Steve
>
>
> > > Now, I could do as per the website at secsup.org which means we have a
> > > route-map
> > > entry to match the community before the filtering .. but that would
> > > allow the
> > > customer to null route any ip.
> > >
> > > What we need is one to allow them to announce any route including more
> > > specifics of the prefix list - how are folks doing this?
> >
> > It's not hard. I think the old UUNET just used standard ACLs (1->99).
> > :) But with prefix filters, you can set gt & lt prefix lengths on the
> > filters trivially.
> >
> > Of course, your customers can then deaggregate to their hearts content.
> > If they do, you should hunt them down and LART them. But it is useful
> > for some things, especially when combined with no_export, the
> > black-hole communities, or other communities.
> >
> >
--
James Jun TowardEX Technologies, Inc.
Technical Lead Network Design, Consulting, IT Outsourcing
james@towardex.com Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
