North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: UUNet Offer New Protection Against DDoS
- From: James
- Date: Thu Mar 04 04:25:47 2004
in our case, we do the following setup:
1. allow up to /32 within customer's prefix(es)
2. check for 27552:666 (null comm), if matched, set to null'd nexthop
3. now match any prefixes that are longer than /22 on 0.0.0.0/1,
that are longer than /22 on 126.96.36.199/2, that are longer than /24
on 192.0.0.0/3. if any of these longer prefixes are matched, tag
them with 27552:31337 (which is our equivalent of no-export).
If a customer has a legitimate reason to send a /24 within say,
0.0.0.0/1, then we can always override it by adding a deny rule to
the matching prefix-list used by the route-map.
4. finally, add maximum-prefix limit to 500
I'll be more than glad to provide config template if anyone is interested. Also
have ipv6 version of it as well if interested.
On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:
> > > I'm puzzled by one aspect on the implementation.. how to build your customer
> > > prefix filters.. that is, we have prefix-lists for prefix and length.
> > > Therefore at present we can only accept a tagged route for a whole block..
> > > not good if the announcement is a /16 etc !
> > MCI handles this by only filtering on prefix, not length. Well,
> > allowing you to only announce up to your length, not shorter, but
> > longer is allowed.
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in
> addition we have an extra filter which overrides anything that would deny
> anything longer than a /24. I'm not keen to change that.. LART appears to have
> little or no effect with my customers, preemption appears to be the only way!
> > > Now, I could do as per the website at secsup.org which means we have a
> > > route-map
> > > entry to match the community before the filtering .. but that would
> > > allow the
> > > customer to null route any ip.
> > >
> > > What we need is one to allow them to announce any route including more
> > > specifics of the prefix list - how are folks doing this?
> > It's not hard. I think the old UUNET just used standard ACLs (1->99).
> > :) But with prefix filters, you can set gt & lt prefix lengths on the
> > filters trivially.
> > Of course, your customers can then deaggregate to their hearts content.
> > If they do, you should hunt them down and LART them. But it is useful
> > for some things, especially when combined with no_export, the
> > black-hole communities, or other communities.
James Jun TowardEX Technologies, Inc.
Technical Lead Network Design, Consulting, IT Outsourcing
email@example.com Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net