Hey, On 18 April 2018 at 14:03, Ryan Hamel <Ryan.Hamel@quadranet.com> wrote:
a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp are sent (policed) to infrastructure addresses
While I can implement an edge filter to drop such traffic, it's impacting our clients traffic as well.
I don't understand why that would be true, your customers shouldn't be using links for anything useful. But again, in your case the attack is coming from far-end, so they need to do this, to benefit you.
b) do not advertise link networks in iBGP
This has never been an issue.
If is now. If the links is far-end assigned, and if far-end does not advertise it, then attack has to come from same far-end router as where you're connected, greatly reducing attack surface.
c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255
Could you explain how this can resolve my issue? I am not sure how this would work.
If your link isn't protected, then attacking just your BGP session allows to bring down the BGP with very modest Mbps, like <5Mbps. If you do GTSM and drop <255 TTL BGP, then typically attacker can't bring down the BGP session, or at very least they need to congest whole linerate. -- ++ytti