[71449] in North American Network Operators' Group
Re: DDoS mitigation with BGP communities
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Jun 14 23:40:42 2004
Date: Tue, 15 Jun 2004 03:36:16 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <0EED90FE-BE7C-11D8-8209-000A956885D4@crocker.com>
To: Matthew Crocker <matthew@crocker.com>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 14 Jun 2004, Matthew Crocker wrote:
>
>
> Hello,
>
> I just experienced my first official DDoS attack against my network.
> I never realized how helpless I was :(. I had roughly 70 mbps of
> traffic aimed at one IP. The IP wasn't even in use, I'm assuming
> someone typed the wrong IP and meant to send it somewhere else. I shut
> it down by removing the /24 announcement. This was fine except for
> the customers on that /24. I know my upstreams have special
> communities I can set via BGP announcements that effectively say 'route
> packets to this network to null0'. My question is, what do I need to
> put on my router (i.e. code examples) to inject the /32 into the BGP
> announcements. I try to be a good net citizen and announce aggregate
> blocks. I had to break my /21 up so I could announce everything but
> the /24 in the middle. Any help would be greatly appreciated.
I think this was covered a few times, but:
http://www.secsup.org/CustomerBlackHole/
includes some config snippets for you there.
