Re: [EXTERNAL] Re: RTBH no_export
On Mon, 4 Feb 2019 09:01:20 + i3D.net - Martijn Schmidt wrote: > Cogent does let you use RTBH, but on a separate BGP session to a > blackhole server. So it's a bit more hassle to set it up policy-wise, > because it deviates from the standard. Same story for "former > GlobalCrossing", now CenturyLink's AS3549, which is still used for LATAM > and Asia. There are other providers that do this besides those you listed. I'm not sure one way or the other is truly "the standard" approach, but there may be an advantage and potentially good reason to have a separate session. If a no-multihop peering link/session is down, you might still be able to establish a RTBH peering session via another path. That may be what you need to get that direct neighbor back up. :-) John
RE: [EXTERNAL] Re: RTBH no_export
I heard that before... -Original Message- From: Vincent Bernat Sent: Monday, February 4, 2019 9:48 AM To: i3D.net - Martijn Schmidt Cc: Nikos Leontsinis ; Paul S. ; nanog@nanog.org Subject: Re: [EXTERNAL] Re: RTBH no_export ❦ 4 février 2019 09:01 +00, i3D.net - Martijn Schmidt : > Cogent does let you use RTBH, but on a separate BGP session to a > blackhole server. So it's a bit more hassle to set it up policy-wise, > because it deviates from the standard. Same story for "former > GlobalCrossing", now CenturyLink's AS3549, which is still used for > LATAM and Asia. Cogent will "soon" support a blackhole community on regular BGP sessions. I've got this information a few months ago, so maybe just ask for it to make it happen sooner. -- Use uniform input formats. - The Elements of Programming Style (Kernighan & Plauger) This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
Re: [EXTERNAL] Re: RTBH no_export
❦ 4 février 2019 09:01 +00, i3D.net - Martijn Schmidt : > Cogent does let you use RTBH, but on a separate BGP session to a > blackhole server. So it's a bit more hassle to set it up policy-wise, > because it deviates from the standard. Same story for "former > GlobalCrossing", now CenturyLink's AS3549, which is still used for LATAM > and Asia. Cogent will "soon" support a blackhole community on regular BGP sessions. I've got this information a few months ago, so maybe just ask for it to make it happen sooner. -- Use uniform input formats. - The Elements of Programming Style (Kernighan & Plauger)
Re: [EXTERNAL] Re: RTBH no_export
Cogent does let you use RTBH, but on a separate BGP session to a blackhole server. So it's a bit more hassle to set it up policy-wise, because it deviates from the standard. Same story for "former GlobalCrossing", now CenturyLink's AS3549, which is still used for LATAM and Asia. Best regards, Martijn On 2/4/19 9:39 AM, Nikos Leontsinis wrote: > This is a 20+ year old solution. Ugly because you will block good traffic and > on your effort to protect your network you will block legitimate traffic too > (satisfying the attacker) but most upstream providers > will give you a community to use (Cogent is a notable exception) and tag the > prefix under attack so that the attack will not reach your network. > Sadly most IXs after 20 years they still don't understand the need for this > community but at least someone has written an rfc so that all of us use the > same community. > At least we made some progress there... > > -Original Message- > From: NANOG On Behalf Of Paul S. > Sent: Sunday, February 3, 2019 11:08 PM > To: nanog@nanog.org > Subject: [EXTERNAL] Re: RTBH no_export > > +1, exactly what we did. I also recommend implementing > per-upstream/region blackhole communities (so your users can choose who to > blackhole as they see fit.) > > Often time, DDoS traffic comes from regions that do not intersect with > legitimate traffic. > > On 2/4/2019 03:15 午前, Tom Hill wrote: >> On 31/01/2019 20:17, Nick Hilliard wrote: >>> you should implement a different community for upstream blackholing. >>> This should be stripped at your upstream links and replaced with the >>> provider's RTBH community. Your provider will then handle export >>> restrictions as they see fit. >> This works wonderfully, from past experience. :) >> > This email is from Equinix (EMEA) B.V. or one of its associated companies in > the territory from where this email has been sent. This email, and any files > transmitted with it, contains information which is confidential, is solely > for the use of the intended recipient and may be legally privileged. If you > have received this email in error, please notify the sender and delete this > email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, > 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. > 57577889.
RE: [EXTERNAL] Re: RTBH no_export
This is a 20+ year old solution. Ugly because you will block good traffic and on your effort to protect your network you will block legitimate traffic too (satisfying the attacker) but most upstream providers will give you a community to use (Cogent is a notable exception) and tag the prefix under attack so that the attack will not reach your network. Sadly most IXs after 20 years they still don't understand the need for this community but at least someone has written an rfc so that all of us use the same community. At least we made some progress there... -Original Message- From: NANOG On Behalf Of Paul S. Sent: Sunday, February 3, 2019 11:08 PM To: nanog@nanog.org Subject: [EXTERNAL] Re: RTBH no_export +1, exactly what we did. I also recommend implementing per-upstream/region blackhole communities (so your users can choose who to blackhole as they see fit.) Often time, DDoS traffic comes from regions that do not intersect with legitimate traffic. On 2/4/2019 03:15 午前, Tom Hill wrote: > On 31/01/2019 20:17, Nick Hilliard wrote: >> you should implement a different community for upstream blackholing. >> This should be stripped at your upstream links and replaced with the >> provider's RTBH community. Your provider will then handle export >> restrictions as they see fit. > > This works wonderfully, from past experience. :) > This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.