Hi folks, Last week we received a DoS attack which got down my BGP connections to my upstream providers (for three or four times I believe). I also belive that event caused some routers to suppress my BGP announcement. I would appreciate suggestions on "how to proceed?" with this situation. Thanks in advance. Regards, Gustavo.
On Jan 16, 2006, at 7:28 AM, Gustavo Rodrigues Ramos wrote:
Last week we received a DoS attack which got down my BGP connections to my upstream providers (for three or four times I believe). I also belive that event caused some routers to suppress my BGP announcement.
I would appreciate suggestions on "how to proceed?" with this situation.
Remind everyone that flap dampening is no longer a good idea, and is in fact considered harmful. (Queue discussion at last RIPE.) The problem is probably not flapping 3 times, but the amplification some people saw. (One of the reasons it was decided not to promote flap dampening at RIPE.) Not much you can do about this in general. In your specific case, since we don't know why your sessions died, we don't know what to suggest to stop it. Perhaps change the timers with your upstream? -- TTFN, patrick
Patrick W. Gilmore wrote:
Not much you can do about this in general. In your specific case, since we don't know why your sessions died, we don't know what to suggest to stop it. Perhaps change the timers with your upstream?
My BGP connections (and annoucements) with/to my ISPs are all fine. The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs. At the first time, I thought an e-mail to the NOC of the network I can't reach can solve the problem, but it was a waste of time... Thanks again, Gustavo.
The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs.
for the movie, see the apnic presentation http://rip.psg.com/~randy/020910.zmao-flap.pdf for the book, see Z. Mao, R. Govindan, G. Varghese, R. Katz "Route Flap Damping Exacerbates Internet Routing Convergence" 2002 randy
On Jan 16, 2006, at 8:48 AM, Gustavo Rodrigues Ramos wrote:
Patrick W. Gilmore wrote:
Not much you can do about this in general. In your specific case, since we don't know why your sessions died, we don't know what to suggest to stop it. Perhaps change the timers with your upstream?
My BGP connections (and annoucements) with/to my ISPs are all fine.
The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs.
At the first time, I thought an e-mail to the NOC of the network I can't reach can solve the problem, but it was a waste of time...
I'm a little confused. Are you saying you dampened the prefixes of some other network? If so, it sounds like this is 100% in your control. If the BGP sessions between you and your upstreams / peers never flapped, no one should have dampened you. (I can see it possibly happening if someone else in the path between you and $OtherNetwork is attacked and therefore flaps your routes, but that would affect a lot of networks, not just you.) -- TTFN, patrick
Do this, configure and use blackhole routing with your upstream, this is how you stop an attack How to detect it, use netflow. On 1/16/06, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Jan 16, 2006, at 8:48 AM, Gustavo Rodrigues Ramos wrote:
Patrick W. Gilmore wrote:
Not much you can do about this in general. In your specific case, since we don't know why your sessions died, we don't know what to suggest to stop it. Perhaps change the timers with your upstream?
My BGP connections (and annoucements) with/to my ISPs are all fine.
The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs.
At the first time, I thought an e-mail to the NOC of the network I can't reach can solve the problem, but it was a waste of time...
I'm a little confused.
Are you saying you dampened the prefixes of some other network? If so, it sounds like this is 100% in your control.
If the BGP sessions between you and your upstreams / peers never flapped, no one should have dampened you. (I can see it possibly happening if someone else in the path between you and $OtherNetwork is attacked and therefore flaps your routes, but that would affect a lot of networks, not just you.)
-- TTFN, patrick
participants (4)
-
Gustavo Rodrigues Ramos -
Kim Onnel -
Patrick W. Gilmore -
Randy Bush