North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: update

  • From: Troy Davis
  • Date: Sun Sep 24 16:00:55 2000

On Sun, 24 Sep 2000, James A. T. Rice <[email protected]> wrote:

> Why aggregrate ? You could just announce the /32's of the actual broadcast
> addresses, and cause much less damage to other resources on that network.

/32 announcements filter the pre-amplification (attacker -> amplifier) 
traffic, which very likely takes a different path than post-amplification 
(amplifier -> victim) traffic.  Since using as an amplifier can 
result in responses from other IPs within (and occasionally 
even other netblocks), if the attacker <-> amplifier path doesn't accept 
the BGP feed, the attack will happen regardless of whether the victim's 
upstream accepts the BGP feed.

The /24 announcements filter [most of] the actual flood as well as the

> Also if you do aggregrate, your blackhole route will probabally be less
> specific then the 'real' route, so the 'real' route and not the blackhole
> one is what would get used.

Good point.  Unaggregated /24s would be the way to go.  To keep the
number of routes managable, we would probably announce just those with a
high amplification ( > 10x).