North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: engineering --> ddos and flooding
- From: Sykes, Phil
- Date: Fri Jun 01 14:51:57 2001
Ooh, a good idea (or is it just late on Friday?)
>Two possible Achilles heal with this approach is that the multihop bgp
session between the
>customer and the ISP's low end router may die under the flood of the
>attack.
> Also the low end router could drop it's IBGP peering if it
> becomes too flooded with the now redirected traffic.
I think an appropriately secured web-based interface would be better than
multihop-BGP trickery, for the 'death of the customer connection' reason.
I'd hope every responsible noc operator has at least 5 backup dialup
accounts on other people's networks to access the webpage through.
Perhaps the low-end router (or Zebra running box)on the ISPs side could
advertise the routes internally to the ISP network with an next-hop of a big
router that can take the pain (or a security box that can log the packets).
Alternatively, a route-map on each router in the network could null route
any route advertisement with a nullroute community (curses, thought of it a
couple of seconds too late :-)
Cheers,
Phil Sykes, Network Engineer
Cable & Wireless European IP Engineering
p: +49 89 92699 204 m: +49 172 89 79 727
|
