North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: [admin] [summary] RE: YouTube IP Hijacking

  • From: Barry Greene (bgreene)
  • Date: Tue Feb 26 12:58:18 2008
  • Authentication-results: sj-dkim-3; [email protected]; dkim=pass ( sig from verified; );
  • Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2756; t=1204048530; x=1204912530; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=20=22Barry=20Greene=20(bgreene)=22=20<[email protected] com> |Subject:=20RE=3A=20[admin]=20[summary]=20RE=3A=20YouTube=2 0IP=20Hijacking |Sender:=20; bh=0J6BqxY3O3Evy9CX8qrJKPGC/WS1cJVF7mwbzcMOpk8=; b=F+xwQdRide4q/ONV+0YBYdMsPg3LyUCreSccRnFIfmY7WZLEZslZYhgZC5 WJmHta5Xus2ZM3+XpVU2T7qa/Mi7M/wBN/42TcW+WsPiLez99xVCor9aT83d 6itBEyDUN3;

Hash: SHA1

Missing a tag in the trigger is why you put the Murphy Filters in the
trigger router's route-map (the point you were getting at but being even
more explicit).

In my route map on the trigger router, I would not allow any static
route triggers which did not have an exact match. I would also set the
BGP advertisement to have - by default - the no-export community, a
community range for all my triggers, and limit all my triggers to be
below /24 (i.e /25 - /32).

I then have three things to set my egress prefix filters to all my peers
and customers:

	- comply with the default communities (no export)
	- filter all communities in my trigger range
	- filter anything in the /25 - /32 range.

BTW - "Murphy Filters" is my term for policy filters which expect
"Murphy's Law of Networking" to kick in. You have to expect human error.

In addition to this, I would have my upstream mirror my filters. Life
sucks when you advertise big blocks of the Internet and you become one
giant sink hole (until you go congestion collapse, drop the BGP session
and start flapping like crazy).


> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of Christopher Morrow
> Sent: Tuesday, February 26, 2008 8:59 AM
> To: hjan
> Cc: [email protected]
> Subject: Re: [admin] [summary] RE: YouTube IP Hijacking
> On Tue, Feb 26, 2008 at 10:40 AM, hjan <[email protected]> wrote:
> >  I think that they should use remote triggered blackhole filtering 
> > with  no-export community.
> >  In this way they do the job with no impact on the rest of internet.
> so, certainly this isn't a bad idea, but given as an example:
> <>
> (Sorry not a perfect example, but illustrates my point)
> instead of:
> ip route my.offensive.material.0 Null0 tag 12345
> the operator in question (person not place) types:
> ip route my.offensive.material.0 Null0 tag 1234
> oops, a simple cut/paste mistake means that a route didn't 
> get tagged properly, didn't get community tagged properly, 
> didn't get set no-export and didn't get kept internally :(
> There is no SINGLE fix for this, there is a belt+suspenders approach:
> 1) Know what you are advertising (customer side of the puzzle)
> 2) Know what you are expecting to recieve (provider side of 
> the puzzle)
> 3) plan for failures in both parts of this puzzle.
> -Chris
Version: PGP 8.1