DDoS mitigation with BGP communities
Hello, I just experienced my first official DDoS attack against my network. I never realized how helpless I was :(. I had roughly 70 mbps of traffic aimed at one IP. The IP wasn't even in use, I'm assuming someone typed the wrong IP and meant to send it somewhere else. I shut it down by removing the /24 announcement. This was fine except for the customers on that /24. I know my upstreams have special communities I can set via BGP announcements that effectively say 'route packets to this network to null0'. My question is, what do I need to put on my router (i.e. code examples) to inject the /32 into the BGP announcements. I try to be a good net citizen and announce aggregate blocks. I had to break my /21 up so I could announce everything but the /24 in the middle. Any help would be greatly appreciated. Routers are a couple 7500 series running 12.0.xx -Matt
On Mon, 14 Jun 2004, Matthew Crocker wrote:
Hello,
I just experienced my first official DDoS attack against my network. I never realized how helpless I was :(. I had roughly 70 mbps of traffic aimed at one IP. The IP wasn't even in use, I'm assuming someone typed the wrong IP and meant to send it somewhere else. I shut it down by removing the /24 announcement. This was fine except for the customers on that /24. I know my upstreams have special communities I can set via BGP announcements that effectively say 'route packets to this network to null0'. My question is, what do I need to put on my router (i.e. code examples) to inject the /32 into the BGP announcements. I try to be a good net citizen and announce aggregate blocks. I had to break my /21 up so I could announce everything but the /24 in the middle. Any help would be greatly appreciated.
I think this was covered a few times, but: http://www.secsup.org/CustomerBlackHole/ includes some config snippets for you there.
Hello,
I just experienced my first official DDoS attack against my network. I never realized how helpless I was :(. I had roughly 70 mbps of traffic aimed at one IP. The IP wasn't even in use, I'm assuming someone typed the wrong IP and meant to send it somewhere else. I shut it down by removing the /24 announcement. This was fine except for the customers on that /24. I know my upstreams have special communities I can set via BGP announcements that effectively say 'route packets to this network to null0'. My question is, what do I need to put on my router (i.e. code examples) to inject the /32 into the BGP announcements. I try to be a good net citizen and announce aggregate blocks. I had to break my /21 up so I could announce everything but the /24 in the middle. Any help would be greatly appreciated.
Routers are a couple 7500 series running 12.0.xx
-Matt
Welcome to the Club, they will come again. Trust me I have had my share of these for months now. They will come in variations from IOS exploits to UDP and SYN attacks direct to IP addresses that are mounted or unmounted. Update your Cisco's IOS they have holes in IOS. BGP holes in 12.0., etc . . . Routing to Null0 is one method but, you are still routing it, just killing packets. What kind of packets are they sending you? Peter
participants (3)
-
Christopher L. Morrow -
Matthew Crocker -
Pete Schroebel