North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: engineering --> ddos and flooding

  • From: Sykes, Phil
  • Date: Fri Jun 01 14:51:57 2001

Ooh, a good idea (or is it just late on Friday?)

>Two possible Achilles heal with this approach is that the multihop bgp
session between the
>customer and the ISP's low end router may die under the flood of the
>attack.
> Also the low end router could drop it's IBGP peering if it
> becomes too flooded with the now redirected traffic.

 I think an appropriately secured web-based interface would be better than
multihop-BGP trickery, for the 'death of the customer connection' reason.
I'd hope every responsible noc operator has at least 5 backup dialup
accounts on other people's networks to access the webpage through.

 Perhaps the low-end router (or Zebra running box)on the ISPs side could
advertise the routes internally to the ISP network with an next-hop of a big
router that can take the pain (or a security box that can log the packets).
 Alternatively, a route-map on each router in the network could null route
any route advertisement with a nullroute community (curses, thought of it a
couple of seconds too late :-)

Cheers,

Phil Sykes, Network Engineer
Cable & Wireless European IP Engineering
p: +49 89 92699 204 m: +49 172 89 79 727