North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: attacking DDOS using BGP communities?

  • From: Jason Lixfeld
  • Date: Fri Oct 18 10:09:46 2002

Interesting -- I was actually having a conversation about this very same
thing with a friend of mine a few days ago.  The problem we had, was
that he had next-hop-self on all of his ibgp mesh routers.  Does that
not make it difficult to put an ip next-hop in?  Also, would that ip
next-hop be propagated throughout his mesh or would that same route-map
have to be present on all the edge routers?

The other thing we were toying with was a setting the administrative
distance for said black-holed route to be less than that of his igp and
having his IGP route to 127.0.0.1 or something.

The whole goal was to try and kill the route as close to the source as
possible so as not to have the traffic traverse the core.  The question
is, how to?

-- 
"AFAIK, I'm a BOFH for continually bashing you with a clue-by-four.
OTOH, if you would just RTFM every once in a while, my life would suck
*much* less." 

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of Frank Scalzo
> Sent: Friday, October 18, 2002 9:52 AM
> To: Saku Ytti; [email protected]
> Subject: RE: attacking DDOS using BGP communities?
> 
> 
> 
> 701 has a blackhole community, 701:9999, basically it sets 
> the next-hop
> to something blackholed on their edge so the DOS attack gets 
> dropped as
> soon as it hits them. I have made use of this to kill at 
> least one DDOS
> event. A global blackhole community may be difficult to achieve, but
> getting the majority of large providers to implement one is a good
> start.
> 
> -----Original Message-----
> From: Saku Ytti [mailto:[email protected]] 
> Sent: Thursday, October 17, 2002 5:23 PM
> To: [email protected]
> Subject: attacking DDOS using BGP communities?
> 
> 
> How feasible would these ideas be?
> 
> 1) Signaling unwanted traffic.
>    You would set community which would just inform that you are
> receiving
> unwanted traffic. This way responsible AS# with statistical netflow
> could easily automaticly search for these networks and report 
> to NOC if
> both there is increased traffic to them and community is on.
> 
> -would it be affective at all? Could your netflow parser use 
> it easily?
> +wouldn't need big changes
> 
> 2) 'TTL' community.
>    You would have ~10 communities representing how many AS hops until
> route
> should not be advertised anymore. If you would experience DOS you'd
> start
> from TTL 1 and increase until DOS flow starts again, with any 
> luck you 
> would end up having very limited amount of AS# to communicate with
> in hopes of fixing their anti-spoofing filters and to catch malicious
> party.
> 
> -just think about the amount of route-maps :>
> -you would need to flap the network possible 10 times == damped
> +some idea who to contact w/o co-operation of NOCs (can be hard)
> +wins you time, often DOS is over before you've reached 3rd AS number
>   to ask where the traffic is originating.
> 
> 3) 'null route' community.
>    This would only be useful if it would mean that you are also
> accepting
> more spesific annoucement, preferally even /32. Most people 
> are propably
> crying about the idea already, but if you plan it wisely with
> prefix-limit
> setting it might not be suicide. Just remember that all downstream
> prefix-limit+your prefices must be smaller than what your upstream has
> set for prefix-limit, if this is not done then your downstreams can
> effectively trigger your upstream prefix-limit killing your
> connectivity.
> How AS handles the 'null route' community could vary, others set 
> next-hop to null0 other might set it to analyzer tool. Just that it
> shouldn't reach the other end anymore.
> 
> -the obvious: explosion of global bgp routing table (no, not
> nececcarily)
> +effective, you'd instantly free your link from any DOS 
> traffic to given
> destination.
> -- 
>   ++ytti
>