North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: engineering --> ddos and flooding
Ooh, a good idea (or is it just late on Friday?) >Two possible Achilles heal with this approach is that the multihop bgp session between the >customer and the ISP's low end router may die under the flood of the >attack. > Also the low end router could drop it's IBGP peering if it > becomes too flooded with the now redirected traffic. I think an appropriately secured web-based interface would be better than multihop-BGP trickery, for the 'death of the customer connection' reason. I'd hope every responsible noc operator has at least 5 backup dialup accounts on other people's networks to access the webpage through. Perhaps the low-end router (or Zebra running box)on the ISPs side could advertise the routes internally to the ISP network with an next-hop of a big router that can take the pain (or a security box that can log the packets). Alternatively, a route-map on each router in the network could null route any route advertisement with a nullroute community (curses, thought of it a couple of seconds too late :-) Cheers, Phil Sykes, Network Engineer Cable & Wireless European IP Engineering p: +49 89 92699 204 m: +49 172 89 79 727
|