Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UUNet Offer New Protection Against DDoS

  • From: James
  • Date: Thu Mar 04 04:25:47 2004

	in our case, we do the following setup:

	1. allow up to /32 within customer's prefix(es)
	2. check for 27552:666 (null comm), if matched, set to null'd nexthop
	3. now match any prefixes that are longer than /22 on 0.0.0.0/1,
	   that are longer than /22 on 128.0.0.0/2, that are longer than /24
	   on 192.0.0.0/3. if any of these longer prefixes are matched, tag
	   them with 27552:31337 (which is our equivalent of no-export).

	     If a customer has a legitimate reason to send a /24 within say,
           0.0.0.0/1, then we can always override it by adding a deny rule to
	   the matching prefix-list used by the route-map.

	4. finally, add maximum-prefix limit to 500

I'll be more than glad to provide config template if anyone is interested. Also
have ipv6 version of it as well if interested.

-J

	
On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote:
> 
> > > I'm puzzled by one aspect on the implementation.. how to build your customer
> > > prefix filters.. that is, we have prefix-lists for prefix and length.  
> > > Therefore at present we can only accept a tagged route for a whole block..
> > > not good if the announcement is a /16 etc !
> > 
> > MCI handles this by only filtering on prefix, not length.  Well, 
> > allowing you to only announce up to your length, not shorter, but 
> > longer is allowed.
> 
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in 
> addition we have an extra filter which overrides anything that would deny 
> anything longer than a /24. I'm not keen to change that.. LART appears to have 
> little or no effect with my customers, preemption appears to be the only way!
> 
> Steve
> 
> 
> > > Now, I could do as per the website at secsup.org which means we have a 
> > > route-map
> > > entry to match the community before the filtering .. but that would 
> > > allow the
> > > customer to null route any ip.
> > >
> > > What we need is one to allow them to announce any route including more
> > > specifics of the prefix list - how are folks doing this?
> > 
> > It's not hard.  I think the old UUNET just used standard ACLs (1->99). 
> > :)  But with prefix filters, you can set gt & lt prefix lengths on the 
> > filters trivially.
> > 
> > Of course, your customers can then deaggregate to their hearts content. 
> >   If they do, you should hunt them down and LART them.  But it is useful 
> > for some things, especially when combined with no_export, the 
> > black-hole communities, or other communities.
> > 
> > 

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.