|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: netscan.org update
On Sun, 24 Sep 2000, Troy Davis wrote: > /32 announcements filter the pre-amplification (attacker -> amplifier) > traffic, which very likely takes a different path than post-amplification > (amplifier -> victim) traffic. Since using 1.2.3.255 as an amplifier can > result in responses from other IPs within 1.2.3.0/24 (and occasionally > even other netblocks), if the attacker <-> amplifier path doesn't accept > the BGP feed, the attack will happen regardless of whether the victim's > upstream accepts the BGP feed. > > The /24 announcements filter [most of] the actual flood as well as the > amplifiers. If you want to filter the flood rather than the pre-amplification, you'd be trying to filter by source IP, rather than nullroute on destination ip, which would require either policy routing, which is relativly expensive, or something along the lines of ciscos ip verify unicast reverse path, which you'd be lucky if you found an interface 'safe' to use it on. This would be a LOT more work for people to set up than nullrouting the /32 broadcast addresses. -James
|