North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: UUNet Offer New Protection Against DDoS
I struggled with this, and came up with the following. We basically use a standard route-map for all customers where the first term looks for the community. The customer also has a prefix-list on their neighbor statement allowing their blocks le /32. The following terms (term 2 and above) in the route-map which do NOT look for the customer discard community, have a different standard/generic prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le 24. By doing this, I only accept a customer /32 from his dedicated prefix-list when it has the DOS discard community, otherwise I catch them with the ge 8 le 24 in the following terms. Jason Lumenello IP Engineering XO Communications > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Stephen J. Wilcox > Sent: Wednesday, March 03, 2004 3:48 PM > To: james > Cc: [email protected] > Subject: Re: UUNet Offer New Protection Against DDoS > > > > I'm puzzled by one aspect on the implementation.. how to build your > customer > prefix filters.. that is, we have prefix-lists for prefix and length. > Therefore > at present we can only accept a tagged route for a whole block.. not good > if the > announcement is a /16 etc ! > > Now, I could do as per the website at secsup.org which means we have a > route-map > entry to match the community before the filtering .. but that would allow > the > customer to null route any ip. > > What we need is one to allow them to announce any route including more > specifics of the prefix list - how are folks doing this? > > Steve > > On Wed, 3 Mar 2004, james wrote: > > > > > Global Crossing has this, already in production. > > I was on the phone with Qwest yesterday & this was one > > of this things I asked about. Qwest indicated they are > > going to deploy this shortly. (i.e., send routes tagged with > > a community which they will set to null) > > > > > > James Edwards > > Routing and Security > > [email protected] > > At the Santa Fe Office: Internet at Cyber Mesa > > Store hours: 9-6 Monday through Friday > > 505-988-9200 SIP:1(747)669-1965 > > > >
|