Hello,

I just experienced my first official DDoS attack against my network. I never realized how helpless I was :(. I had roughly 70 mbps of traffic aimed at one IP. The IP wasn't even in use, I'm assuming someone typed the wrong IP and meant to send it somewhere else. I shut it down by removing the /24 announcement. This was fine except for the customers on that /24. I know my upstreams have special communities I can set via BGP announcements that effectively say 'route packets to this network to null0'. My question is, what do I need to put on my router (i.e. code examples) to inject the /32 into the BGP announcements. I try to be a good net citizen and announce aggregate blocks. I had to break my /21 up so I could announce everything but the /24 in the middle. Any help would be greatly appreciated.

Routers are a couple 7500 series running 12.0.xx

-Matt

Welcome to the Club, they will come again. Trust me I have had my share of these for months now. They will come in variations from IOS exploits to UDP and SYN attacks direct to IP addresses that are mounted or unmounted. Update your Cisco's IOS they have holes in IOS. BGP holes in 12.0., etc . . . Routing to Null0 is one method but, you are still routing it, just killing packets. What kind of packets are they sending you? Peter