On Sun, 24 Sep 2000, James A. T. Rice <James_R-nanog@jump.org.uk> wrote:
Why aggregrate ? You could just announce the /32's of the actual broadcast addresses, and cause much less damage to other resources on that network.
/32 announcements filter the pre-amplification (attacker -> amplifier) traffic, which very likely takes a different path than post-amplification (amplifier -> victim) traffic. Since using 1.2.3.255 as an amplifier can result in responses from other IPs within 1.2.3.0/24 (and occasionally even other netblocks), if the attacker <-> amplifier path doesn't accept the BGP feed, the attack will happen regardless of whether the victim's upstream accepts the BGP feed. The /24 announcements filter [most of] the actual flood as well as the amplifiers.
Also if you do aggregrate, your blackhole route will probabally be less specific then the 'real' route, so the 'real' route and not the blackhole one is what would get used.
Good point. Unaggregated /24s would be the way to go. To keep the number of routes managable, we would probably announce just those with a high amplification ( > 10x). Cheers, Troy