|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Effective ways to deal with DDoS attacks?
Be mindful that uRPF Strict Mode was created to help scale BCP 38 filtering. If you have 1000 lease line customers and can use uRFP Strict Mode on 80% of those customers, that is 80% fewer BCP38 ACLs that you need to manage. For the other 20% you have uRFP + BGP tweaks or plain old ACLs. But as Chris inferred, that 20% where you cannot use simple uRPF is also the 20% most difficult customers. > -----Original Message----- > From: [email protected] [mailto:[email protected]]On Behalf Of > Iljitsch van Beijnum > Sent: Sunday, May 05, 2002 12:44 AM > To: Christopher L. Morrow > Cc: [email protected] > Subject: Re: Effective ways to deal with DDoS attacks? > > > > On Sun, 5 May 2002, Christopher L. Morrow wrote: > > > > > like with single homed customers. The only time when those sets of > > > > prefixes is NOT the same is for a backup connection. But if > a connection > > > > Not always the case, customer behaviour can not be accurately modeled. > > > I was hoping someone else might mention this, BUT what about the case of > > customers providing transit for outbound but not inbound > traffic for their > > customers? We have many, many cases of customers that are 'default > > routing' for their customers that get inbound traffic down alternate > > customers or peers or wherever... > > Is there a compelling reason you should allow this? If yes, you can't use > uRPF and you have to install an acl to do sanity checking on the > customer's source addresses. If no, they'll have to announce those routes > to you. If they set the no export community they still won't get any > inbound traffic to speak of. > > > uRPF seems like a not so good solution > > for these instances :( especially since some of these are our worst > > abusers :( > > Well if these are your worst abusers, it seems to me uRPF is exactly what > those customers need. ;-) > >
|