Exactly Aaron. No provider will allow a customer to null route a source IP address. I could only assume that a null route on Michel's network is tanking the packets at their edge to 192.0.2.1 (discard/null0).
-- Ryan Hamel Senior Support Engineer ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -----Original Message----- From: NANOG <nanog-boun...@nanog.org> On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 1:38 PM To: 'Michel Py' <michel...@tsisemi.com>; Nanog@nanog.org Subject: RE: automatic rtbh trigger using flow data Thanks, but what if the attacker is many... like thousands ? ...isn't that typically what we see, is tons and tons of sources (hence distributed....dos) ? -Aaron -----Original Message----- From: Michel Py [mailto:michel...@tsisemi.com] Sent: Thursday, August 30, 2018 3:17 PM To: Aaron Gould; Nanog@nanog.org Subject: RE: automatic rtbh trigger using flow data > Aaron Gould wrote : > Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use > quagga or a script of some sort to interact with a router to advertise > to bgp the /32 host route of the victim under attack. Look at Exabgp : https://github.com/Exa-Networks/exabgp That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to inject the prefixes in BGP. I block the attacker's addresses, not the victim but if you are willing to write your own scripts it does the job. Michel. TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...
