North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Blackholes and IXs and Completing the Attack.
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote: > I sincerely doubt that any backbone provider will filter at a /32. That > means they have to check EVERY PACKET AT FULL IP DEST against your AS > advertised routes. Since most backbone routers build circuits at the /18 > and above mask on MPLS, just to keep up with traffic, I sincerely doubt > they are going to expend the CPU, and potentially RAM, never mind prefix > table entries (you know, those things we're running out of) to have a > full table of every host that every hoster says is being DDOSed. In this > case, there's a clear economic cost, for no economic benefit (they do > actually make money delivering that DDOS traffic). "most backbone routers build circuits at the /18 and above mask on MPLS" - that part is seriously funny. However: a) Yes, if such proposal was to be widely accepted, it would generate more entries in RIB/FIB. b) However, if this service was actually operated by IX's, the limits to prevent "too much" growth could be applied centrally (max-prefixes per ASN, automatic removal of those routes after X days, unless manually requested by host, etc). c) Since only your peers will have those :666 entries, it is less "route growth" than than the alternative of announcing the affected block as /24 (which you seem to suggest). > A better approach would be to move your DDOS target and all the rest of > its co-subnet hosts into a different /24, update the DNS RRs, and cease > advertising that /24. That...is...perverted. Not to mention, you can't "cease advertising /24". what you would need to do is to deaggregate your (say) /20 into /21, /22, /23 and /24. That's 3 extra entries in FIB for everyone in the world to carry. > If you really want to be nice, they don't need to renumber, you just > need to stop advertising the target subnet, change the DNS RR's and NAT > at your borders, if you control DNS and IP. The added benefit of this is > that you can swap them back when the DDOs is over, and they get to stay > up while it's happening. All you need to do this is some spare, never to > be allocated, IP space. That...is...perverted. -alex [not speaking as mlc anything]