North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: New Solution: (was: Re: Counter DoS)
- From: Barney Wolff
- Date: Thu Mar 11 21:08:49 2004
On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
> Just like the blackhole community routes, certain /32's (only, nothing
> shorter) can be exported from the customer to the backbone to be
> blackholed at the edges. The twist, is that instead of limited the
> customer announcement to the customer's IPs, you force only /32s to be
> announced for the blackhole prefixes and limit the total number of
> prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
> So say, joe-customer has identified his top 50 DDOS sources, he
> announces them to you, voila, DDOS gone. (even for spoofed traffic,
> depending on how your filters are set up) Obviously these would be
> no-export routes so no peer need be worried.
1. Why is BGP the right tool for this?
2. Is your idea to block only packets destined for the customer making
the request, or to 0/0?
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.