North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: netscan.org update
On Sun, 24 Sep 2000, James A. T. Rice <[email protected]> wrote: > Why aggregrate ? You could just announce the /32's of the actual broadcast > addresses, and cause much less damage to other resources on that network. /32 announcements filter the pre-amplification (attacker -> amplifier) traffic, which very likely takes a different path than post-amplification (amplifier -> victim) traffic. Since using 1.2.3.255 as an amplifier can result in responses from other IPs within 1.2.3.0/24 (and occasionally even other netblocks), if the attacker <-> amplifier path doesn't accept the BGP feed, the attack will happen regardless of whether the victim's upstream accepts the BGP feed. The /24 announcements filter [most of] the actual flood as well as the amplifiers. > Also if you do aggregrate, your blackhole route will probabally be less > specific then the 'real' route, so the 'real' route and not the blackhole > one is what would get used. Good point. Unaggregated /24s would be the way to go. To keep the number of routes managable, we would probably announce just those with a high amplification ( > 10x). Cheers, Troy
|