701 has a blackhole community, 701:9999, basically it sets the next-hop
to something blackholed on their edge so the DOS attack gets dropped as
soon as it hits them. I have made use of this to kill at least one DDOS
event. A global blackhole community may be difficult to achieve, but
getting the majority of large providers to implement one is a good
start.
Interesting -- I was actually having a conversation about this very same
thing with a friend of mine a few days ago. The problem we had, was
that he had next-hop-self on all of his ibgp mesh routers. Does that
not make it difficult to put an ip next-hop in? Also, would that ip
next-hop be propagated throughout his mesh or would that same route-map
have to be present on all the edge routers?
The other thing we were toying with was a setting the administrative
distance for said black-holed route to be less than that of his igp and
having his IGP route to 127.0.0.1 or something.
The whole goal was to try and kill the route as close to the source as
possible so as not to have the traffic traverse the core. The question
is, how to?
701 has a blackhole community, 701:9999, basically it sets the next-hop
to something blackholed on their edge so the DOS attack gets dropped as
soon as it hits them. I have made use of this to kill at least one DDOS
event. A global blackhole community may be difficult to achieve, but
getting the majority of large providers to implement one is a good
start.
Brilliant solution - lets stop DDOS attack on the customer by denying
service to the customer is a non-distributed way.
Alex
Interesting -- I was actually having a conversation about this very same
thing with a friend of mine a few days ago. The problem we had, was
that he had next-hop-self on all of his ibgp mesh routers. Does that
not make it difficult to put an ip next-hop in? Also, would that ip
next-hop be propagated throughout his mesh or would that same route-map
have to be present on all the edge routers?The other thing we were toying with was a setting the administrative
distance for said black-holed route to be less than that of his igp and
having his IGP route to 127.0.0.1 or something.
Again, by doing this you are denying service since you are dropping
all the packets addressed to the target. Such protection mounts another DOS
attack on the target, this time by preventing any packets traveling though
your network from reaching the targets, as opposite to preventing DDOS from
using your network.
If such system is implemented, the DOS attacks will become a lot
harder to trace and chase after, since the attackers will simply trigger
target blackholing.
Alex