Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: attacking DDOS using BGP communities?

  • From: alex
  • Date: Fri Oct 18 10:39:20 2002

> 
> Interesting -- I was actually having a conversation about this very same
> thing with a friend of mine a few days ago.  The problem we had, was
> that he had next-hop-self on all of his ibgp mesh routers.  Does that
> not make it difficult to put an ip next-hop in?  Also, would that ip
> next-hop be propagated throughout his mesh or would that same route-map
> have to be present on all the edge routers?
> 
> The other thing we were toying with was a setting the administrative
> distance for said black-holed route to be less than that of his igp and
> having his IGP route to 127.0.0.1 or something.

	Again, by doing this you are denying service since you are dropping
all the packets addressed to the target. Such protection mounts another DOS
attack on the target, this time by preventing any packets traveling though
your network from reaching the targets, as opposite to preventing DDOS from
using your network.
	If such system is implemented, the DOS attacks will become a lot
harder to trace and chase after, since the attackers will simply trigger
target blackholing.

Alex





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.