RE: UUNet Offer New Protection Against DDoS
I struggled with this, and came up with the following. We basically use a standard route-map for all customers where the first term looks for the community. The customer also has a prefix-list on their neighbor statement allowing their blocks le /32. The following terms (term 2 and above) in the route-map which do NOT look for the customer discard community, have a different standard/generic prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le 24. By doing this, I only accept a customer /32 from his dedicated prefix-list when it has the DOS discard community, otherwise I catch them with the ge 8 le 24 in the following terms. Jason Lumenello IP Engineering XO Communications
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Stephen J. Wilcox Sent: Wednesday, March 03, 2004 3:48 PM To: james Cc: nanog@merit.edu Subject: Re: UUNet Offer New Protection Against DDoS
I'm puzzled by one aspect on the implementation.. how to build your customer prefix filters.. that is, we have prefix-lists for prefix and length. Therefore at present we can only accept a tagged route for a whole block.. not good if the announcement is a /16 etc !
Now, I could do as per the website at secsup.org which means we have a route-map entry to match the community before the filtering .. but that would allow the customer to null route any ip.
What we need is one to allow them to announce any route including more specifics of the prefix list - how are folks doing this?
Steve
On Wed, 3 Mar 2004, james wrote:
Global Crossing has this, already in production. I was on the phone with Qwest yesterday & this was one of this things I asked about. Qwest indicated they are going to deploy this shortly. (i.e., send routes tagged with a community which they will set to null)
James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
On Mar 3, 2004, at 5:51 PM, Lumenello, Jason wrote:
I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first term looks for the community. The customer also has a prefix-list on their neighbor statement allowing their blocks le /32. The following terms (term 2 and above) in the route-map which do NOT look for the customer discard community, have a different standard/generic prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le 24.
By doing this, I only accept a customer /32 from his dedicated prefix-list when it has the DOS discard community, otherwise I catch them with the ge 8 le 24 in the following terms.
A lot of people seem to be doing this. Mind if I ask what's the harm of letting customers announce /32 or /29s into your core as long as you filter at your borders? The additional prefixes are not going to kill your routers, and it allows the customer more finely tuned traffic controls. IOW: Seems there is some utility and no harm. -- TTFN, patrick
--On 03 March 2004 18:17 -0500 "Patrick W.Gilmore" <patrick@ianai.net> wrote:
A lot of people seem to be doing this.
there is nothing (well very little) new in the world: http://www.merit.edu/mail.archives/nanog/1999-07/msg00083.html Alex
On Thu, Mar 04, 2004 at 03:39:30PM +0000, Alex Bligh wrote:
A lot of people seem to be doing this.
there is nothing (well very little) new in the world: http://www.merit.edu/mail.archives/nanog/1999-07/msg00083.html
Does anyone know if Cogent offer such a community? Anyone from Cogent on the line? -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only)
participants (4)
-
Alex Bligh
-
Avleen Vig
-
Lumenello, Jason
-
Patrick W.Gilmore