North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Blackholes and IXs and Completing the Attack.

  • From: Alex Pilosov
  • Date: Sun Feb 03 04:26:40 2008

On Sat, 2 Feb 2008, Tomas L. Byrnes wrote:

> I sincerely doubt that any backbone provider will filter at a /32. That
> means they have to check EVERY PACKET AT FULL IP DEST against your AS
> advertised routes. Since most backbone routers build circuits at the /18
> and above mask on MPLS, just to keep up with traffic, I sincerely doubt
> they are going to expend the CPU, and potentially RAM, never mind prefix
> table entries (you know, those things we're running out of) to have a
> full table of every host that every hoster says is being DDOSed. In this
> case, there's a clear economic cost, for no economic benefit (they do
> actually make money delivering that DDOS traffic).
"most backbone routers build circuits at the /18 and above mask on MPLS" - 
that part is seriously funny.

a) Yes, if such proposal was to be widely accepted, it would generate more 
entries in RIB/FIB.

b) However, if this service was actually operated by IX's, the limits to
prevent "too much" growth could be applied centrally (max-prefixes per 
ASN, automatic removal of those routes after X days, unless manually 
requested by host, etc).

c) Since only your peers will have those :666 entries, it is less "route
growth" than than the alternative of announcing the affected block as /24 
(which you seem to suggest).

> A better approach would be to move your DDOS target and all the rest of
> its co-subnet hosts into a different /24, update the DNS RRs, and cease
> advertising that /24. Not to mention, you can't "cease advertising /24". 
what you would need to do is to deaggregate your (say) /20 into /21, /22, 
/23 and /24. That's 3 extra entries in FIB for everyone in the world to 

> If you really want to be nice, they don't need to renumber, you just
> need to stop advertising the target subnet, change the DNS RR's and NAT
> at your borders, if you control DNS and IP. The added benefit of this is
> that you can swap them back when the DDOs is over, and they get to stay
> up while it's happening. All you need to do this is some spare, never to
> be allocated, IP space.

-alex [not speaking as mlc anything]