This sounds like a good idea for us to consider. I think DoS attacks typically get erased in the 95% discard a lot of people use in billing though, but it still has value for the customer.
Thanks!
Jason
-----Original Message-----
We actually accept up to the customers
aggregate. So if they have a /16, they can tag the whole /16. And
we do not tag no-export. I saw some time ago on a list, and I think Bill
Manning suggested it, that if you are getting bits for unused address space, to
announce that address space (up to host specific) with the DDoS community
string. That keeps the packets off of your link and thus you don't get
charged for them. The same can be done in reverse. We have a
customer that is advertising their larger block with the DDoS community string,
and then advertising the addresses they are actually using more specifically,
so we blackhole everything less specific. These are a couple of
applications that can be utilized if you don't tag no-export and accept more
than just /32's within their address space. FWIW. Oh, and I strip their communities, and apply no-export, on the first term of my route map so the /32 does not get out. Of course my peer facing policy requires specific communities to get out as well (belt and suspenders). This method works very well, and you do not have to give up length restrictions or maintain two sets of customer prefix/access lists. Jason
|
- Re: Source address validatio... E.B. Dreger
- Re: UUNet Offer New Protecti... Alex Bligh
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore
- Re: UUNet Offer New Protection Against DDoS Alex Bligh
- Re: UUNet Offer New Protection Against DD... Avleen Vig
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason
- Re: UUNet Offer New Protection Against DDoS Mark Kasten
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason
- Re: UUNet Offer New Protection Against DDoS Deepak Jain
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason
- RE: UUNet Offer New Protection Against DDoS Terranson, Alif
- RE: UUNet Offer New Protection Against DDoS Terranson, Alif