Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: UUNet Offer New Protection Against DDoS

  • From: Lumenello, Jason
  • Date: Wed Mar 03 18:08:32 2004

I struggled with this, and came up with the following.

We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks le /32. The following
terms (term 2 and above) in the route-map which do NOT look for the
customer discard community, have a different standard/generic
prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le
24.

By doing this, I only accept a customer /32 from his dedicated
prefix-list when it has the DOS discard community, otherwise I catch
them with the ge 8 le 24 in the following terms.

Jason Lumenello
IP Engineering
XO Communications

> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
Of
> Stephen J. Wilcox
> Sent: Wednesday, March 03, 2004 3:48 PM
> To: james
> Cc: nanog@merit.edu
> Subject: Re: UUNet Offer New Protection Against DDoS
> 
> 
> 
> I'm puzzled by one aspect on the implementation.. how to build your
> customer
> prefix filters.. that is, we have prefix-lists for prefix and length.
> Therefore
> at present we can only accept a tagged route for a whole block.. not
good
> if the
> announcement is a /16 etc !
> 
> Now, I could do as per the website at secsup.org which means we have a
> route-map
> entry to match the community before the filtering .. but that would
allow
> the
> customer to null route any ip.
> 
> What we need is one to allow them to announce any route including more
> specifics of the prefix list - how are folks doing this?
> 
> Steve
> 
> On Wed, 3 Mar 2004, james wrote:
> 
> >
> > Global Crossing has this, already in production.
> > I was on the phone with Qwest yesterday & this was one
> > of this things I asked about. Qwest indicated they are
> > going to deploy this shortly. (i.e., send routes tagged with
> > a community which they will set to null)
> >
> >
> > James Edwards
> > Routing and Security
> > jamesh@cybermesa.com
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > 505-988-9200 SIP:1(747)669-1965
> >
> >





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.