-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Stephen Perciballi Sent: Wednesday, March 03, 2004 12:25 PM To: Andy Ellifson Cc: nanog@merit.edu Subject: Re: UUNet Offer New Protection Against DDoS
To the best of my knowledge, MCI/UUNET ~was~ the first to implement
I've been using it for well over a year now.
The community is 701:9999. Any route you tag with that community gets dropped accross the entire 701 edge. Feel free to contact support and tell
you want to setup the blackhole community if you are having any troubles.
[Wed, Mar 03, 2004 at 08:34:00AM -0800] Andy Ellifson Inscribed these words...
When I first saw this post I thought that MCI/UU.Net implemented
some DDOS
BGP community strings like CW implemented a month ago. If only all of my upstreams would have this type of BGP Community string my life would be made easier. Here is the customer release letter from from CW dated Januray 23, 2004:
Dear Customer,
If you have received this email, you are either a direct customer of AS3561, (i.e. you have registered a route object for a customer of AS3561), or are listed in the maintainer of a customer of AS3561.
AS3561 has implemented a blackhole/DDoS community string based solution to aid customers in the mitigation of DoS attacks. If you are currently running BGP with us, you will be able to use this feature.
If you advertise a prefix (route) to us with the community string 3561:666, we will NULL route or 'blackhole' all traffic destined to
prefix. The prefixes accepted are based on the current prefix-list generated for you. Instead of doing exact match filtering, we will accept any prefix (more "specific") within your address block(s). e.g. if you have 192.168.0.0/16 registered, we will accept 192.168.0.0/16 upto /32 as long as the 3561:666 community string is attached.
Please ensure you are configured to send community strings and understand the impact of errant advertisements. Diligence should be used when administrating this feature. Once the prefix is received and
within AS3561, all traffic destined to the prefix will be discarded and the blackholing of traffic will continue as long as DDoS community string is being advertised. Neither Cable & Wireless nor AS3561 will be held liable or responsible for customers who errantly advertise prefixes with
blackhole community string.
If you wish to utilize this feature, you can verify our acceptance of the advertised prefix by querying the AS3561 route server located at http://lg.cw.net.
Please remember, we require you to complete a priority one incident report at http://www.security.cw.net (Report an Incident) and include
XO set up a similar customer community last year for our customers to trigger their own black hole at our edge. There is no such thing as an original idea. :) This "promised response" probably means if you press 3 on your phone, you will get a CSR to open a ticket within 15 minutes. Sounds like nice marketing. Jason this. them that propagated the details
of the
attack. An email describing further details of the attack can be
security@cw.net, please include the incident report number in the subject to assist in the tracking and documentation of the incident. This will ensure the attack is properly administrated handled by our Security and Legal Groups.
--- John Obi <dalnetuzer@yahoo.com> wrote:
Hello Nanogers!
I'm happy to see this, and I hope C&W, Verio, and Level3 ..etc will do
same!
MCI/WorldCom Monday unveiled a new service level agreement (SLA) to help IP services customers thwart and defend against Internet viruses and
sent to the threats.
http://informationweek.securitypipeline.com/news/18201396
It's the right time before it's too late!
Regards,
-J
--------------------------------- Do you Yahoo!? Yahoo! Search - Find what you're looking for faster.
--
Stephen (routerg) irc.dks.ca