North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Blackholing traffic by ASN
On Jan 30, 2008, at 4:33 PM, Justin Shore wrote:
Specifically, if the origin[?] AS that you're wanting to drop all traffic from gets wind of such a policy, they could easily announce other prefixes that result in your dropping that traffic, introducing a more effective DoS vector. Other ASes could easily spoof an origin AS and trigger such a policy application as well. You should probably do this explicitly based on prefix and null route from some centralized route server w/uRPF and not as a matter of automated policy based on a given AS Path set. If you're simply worried about destination reachability to prefixes provided by those ASes in question, then you could employ a BGP filter on ingress dropping prefixes with those ASes in the path -- although I think your query was more concerned with ingress traffic from those ASes, not egressing destined to those networks. Finally, as Ferg said, networks of that sort seem to find a need to diversify their connectivity periodically -- all the more reason to avoid such policies. -danny
|