On Jan 30, 2008 3:54 PM, Deepak Jain <deepak@ai.net> wrote:
This is prior art. (Assuming your hardware has a hardware blackhole (or you have a little router sitting on the end of a circuit)) you adjust your route-map that would deny the entry to set a community or next-hop pointing to your blackhole location.
Nowadays, most equipment can blackhole internally (to null0 say) at full speed, so it isn't an issue. Just set your next hop to a good null0 style location on route import and you are done for traffic destined to those locations.
...do uRPF-loose-mode and you kill FROM these locations as well...
For inbound traffic from those locations you would need to do policy routing (because you are looking up on source). If you are trying to
(uRPF loose-mode)
block SPAM or anything TCP related, you only need to block 1 direction to end the conversation.
be cautious of 'synflooding' your internal hosts with this though... Null0 doesn't generate unreachables at packet-rate, but at a lower (1:1000 I believe on cisco by default) rate.
Sounds harsh, but hey, its your network.
wee! and for some extra fun, just append the bad-guy's ASN to your route announcements, force bgp loop-detection to kill the traffic on their end (presuming they don't default-route as well)