Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: engineering --> ddos and flooding

  • From: Walter Prue
  • Date: Fri Jun 01 14:19:10 2001

I came up with a solution for networks with ISP connections to deal
quickly with DDOS attacks without having to be able to work with a
network technician at the ISP for immediate relief.  If the ISP agrees,
install a second low speed connection to the same router your primary
router BGP peers with.  Through this low speed connection you run a
second bgp session advertising the /32 that is being attacked by the
DDOS.  You mark the /32 as NO-ADVERTISE so the route doesn't leave the
border router.

If you can't bgp peer with the same router as the primary connection you
advertise the attacked /32 with the NO-EXPORT community so the route 
stays within the ISP's AS.

This second low speed connection thus becomes a lightning rod for the
DDOS traffic most of which will be discarded and not even delivered due
to congestion on the slow speed link, the slower the better for you.
This of course kills all traffic to the attacked node but the rest of
the network remains usable.  Then at least if the attack can be further
defined you can contact your ISP for a port specific or source address
specific filter so that more legitimate traffic can be accepted.

Another approach might be for the ISP to take a low end router like a
cisco 2600 and run multihop bgp with their customers who want this kind
of service.  The router would remap the next hop information for all
routes it receives to null0 or perhaps a 100 Mb/s ethernet with nothing
on it.  It would also mark all the routes NO-EXPORT.  Then only the
single connection to the customer is needed.  Two possible Achilles
heal with this approach is that the multihop bgp session between the
customer and the ISP's low end router may die under the flood of the
attack.  Also the low end router could drop it's IBGP peering if it
becomes too flooded with the now redirected traffic.  Of course
appropriate route filtering would be essential so your customer could
only advertise his own routes to be routed to a black hole.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.