Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Solution: (was: Re: Counter DoS)

  • From: Barney Wolff
  • Date: Thu Mar 11 21:08:49 2004

On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
> 
> Just like the blackhole community routes, certain /32's (only, nothing 
> shorter) can be exported from the customer to the backbone to be 
> blackholed at the edges. The twist, is that instead of limited the 
> customer announcement to the customer's IPs, you force only /32s to be 
> announced for the blackhole prefixes and limit the total number of 
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
> 
> So say, joe-customer has identified his top 50 DDOS sources, he 
> announces them to you, voila, DDOS gone. (even for spoofed traffic, 
> depending on how your filters are set up) Obviously these would be 
> no-export routes so no peer need be worried.

1. Why is BGP the right tool for this?

2. Is your idea to block only packets destined for the customer making
the request, or to 0/0?

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.