|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: attacking DDOS using BGP communities?
> > Interesting -- I was actually having a conversation about this very same > thing with a friend of mine a few days ago. The problem we had, was > that he had next-hop-self on all of his ibgp mesh routers. Does that > not make it difficult to put an ip next-hop in? Also, would that ip > next-hop be propagated throughout his mesh or would that same route-map > have to be present on all the edge routers? > > The other thing we were toying with was a setting the administrative > distance for said black-holed route to be less than that of his igp and > having his IGP route to 127.0.0.1 or something. Again, by doing this you are denying service since you are dropping all the packets addressed to the target. Such protection mounts another DOS attack on the target, this time by preventing any packets traveling though your network from reaching the targets, as opposite to preventing DDOS from using your network. If such system is implemented, the DOS attacks will become a lot harder to trace and chase after, since the attackers will simply trigger target blackholing. Alex
|