On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried.
1. Why is BGP the right tool for this? 2. Is your idea to block only packets destined for the customer making the request, or to 0/0? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.