North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: UUNet Offer New Protection Against DDoS
- From: Lumenello, Jason
- Date: Wed Mar 03 18:08:32 2004
I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks le /32. The following
terms (term 2 and above) in the route-map which do NOT look for the
customer discard community, have a different standard/generic
prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le
By doing this, I only accept a customer /32 from his dedicated
prefix-list when it has the DOS discard community, otherwise I catch
them with the ge 8 le 24 in the following terms.
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org] On Behalf
> Stephen J. Wilcox
> Sent: Wednesday, March 03, 2004 3:48 PM
> To: james
> Cc: email@example.com
> Subject: Re: UUNet Offer New Protection Against DDoS
> I'm puzzled by one aspect on the implementation.. how to build your
> prefix filters.. that is, we have prefix-lists for prefix and length.
> at present we can only accept a tagged route for a whole block.. not
> if the
> announcement is a /16 etc !
> Now, I could do as per the website at secsup.org which means we have a
> entry to match the community before the filtering .. but that would
> customer to null route any ip.
> What we need is one to allow them to announce any route including more
> specifics of the prefix list - how are folks doing this?
> On Wed, 3 Mar 2004, james wrote:
> > Global Crossing has this, already in production.
> > I was on the phone with Qwest yesterday & this was one
> > of this things I asked about. Qwest indicated they are
> > going to deploy this shortly. (i.e., send routes tagged with
> > a community which they will set to null)
> > James Edwards
> > Routing and Security
> > firstname.lastname@example.org
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > 505-988-9200 SIP:1(747)669-1965