Abhishek Verma wrote:
There are ways to add static routes that can be blackholed. I can
understand the utility of such routes if those are installed in my
forwarding table. What bewilders me is why would anyone want to
advertise "blackhole" routes using say, BGP?
Is it only to prevent some sort of
There are several sources of eBGP feeds for blackholing, they can be very useful
depending on what your requirements are. You can get feeds for spam, ddos bots,
bogon routes etc
For iBGP this can be useful too, if you are being DDoS'd you can inject an iBGP
route and have all your routers inst
> There are ways to add static routes that can be blackholed. I can
> understand the utility of such routes if those are installed in my
> forwarding table. What bewilders me is why would anyone want to
> advertise "blackhole" routes using say, BGP?
Have you read the presentation from the Feb. NA
Extreme makes such a device but it is not truly wirespeed i.e. it goes
wirespeed on ports associated with a particular ASIC but the ASIC to ASIC
links apparently cannot forward a full ASIC to another full ASIC without
dropping frames. But that may be an academic concern and is unlikely to
happen
We use Blackholing extensively to protect our campus network from "bad"
machines. I did a writeup (replete my own personal brand of braindead
typos) a while back that details out how we set it up using OSPF and uRPF.
http://www.merit.edu/mail.archives/nanog/2003-11/msg00225.html
There are mec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
== NEW Materials =
Powersession on Core Security (4-6 May 2004)
http://www.ciscoeventreg.net/go/networkers/agenda9.lasso
CPN Summit SP Security Materials (April 2004)
ftp://ftp-eng.cisco
On Thu, 2004-09-30 at 15:45, Robert A. Hayden wrote:
> There are mechanisms to do it using eBGP and communities as well which I'm
> sure most on this list are more familiar with.
>
> Think of blackholing as a way to surgically remove a specific IP from your
> network, without having to deal wit
We use a variation of this for several things. At the risk of getting in to
political policy discussions ...
We have a PERL script which looks for the wildcard .com record. If it finds
it (the old Verisign SiteFinder), it injects a blackhole route to kill it.
Also, we periodically pull in (ever
It sounds like you are confusing ideas here...
If BGP is making a forwarding table entry, that's it. Ports are not
really considered in forwarding decisions -- or if they are, the box is
usually called a Firewall, not a router.
It would be pretty trivial to take the information you are generati
On Thu, 30 Sep 2004, Deepak Jain wrote:
>
>
> It sounds like you are confusing ideas here...
>
> If BGP is making a forwarding table entry, that's it. Ports are not
> really considered in forwarding decisions -- or if they are, the box is
> usually called a Firewall, not a router.
>
Just thinki
On Thu, Sep 30, 2004 at 04:40:54PM +0200, Erik Haagsman wrote:
>
> On Thu, 2004-09-30 at 15:45, Robert A. Hayden wrote:
> > There are mechanisms to do it using eBGP and communities as well which I'm
> > sure most on this list are more familiar with.
> >
> > Think of blackholing as a way to surg
It goes a little further than that these days. Folks are openly
allowing customers to advertize routes with something lika a 666
community which will then be blackholed within their network. So if
you're a service provider with your own blackhole system, you can
easily tie it into your upstream's
On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
> >It goes a little further than that these days. Folks are openly
> >allowing customers to advertize routes with something lika a 666
> >community which will then be blackholed within their network. So if
> >you're a service provider wi
On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
> provider mistakenly advertises more routes than he should [lets say
> specifics in case #1] you can flood your upstreams' routers with
> specifics and potentially cause flapping or memory overflows...
>
> In case #2, presumably the
On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
> > It goes a little further than that these days. Folks are openly
> > allowing customers to advertize routes with something lika a 666
> > community which will then be blackholed within their network. So if
> > you're a service provi
we can handle most DoS's ourselves, this is the case with a lot/most? upstreams,
we dont automatically forward blackholes upstream
the only time anyone would need to do that is if a particular upstream's
connection was saturated with the DoS.
i'd agree automatically propogating these isnt good
Deepak Jain wrote:
If providers start tying their customer's blackhole announcements to the
provider's upstreams' blackhole announcements in an AUTOMATIC process,
bad things are likely to happen. What happens when a customer of a
provider mistakenly advertises more routes than he should [lets s
On Thu, Sep 30, 2004 at 11:43:42AM -0700, Wayne E. Bouchard wrote:
>
> Yes, well, in my case, I go through a dedicated server with multi-hop
> sessions and set a prefix limit of 25 or so so I don't get bombarded
> with 5 billion /32 routes and don't send those routes upstream. (I try
> to play ni
On Thu, Sep 30, 2004 at 08:03:05PM +0100, Stephen J. Wilcox wrote:
>
> we can handle most DoS's ourselves, this is the case with a lot/most? upstreams,
> we dont automatically forward blackholes upstream
>
> the only time anyone would need to do that is if a particular upstream's
> connection
Dear all
I have ddos attack to our ip A.B.C.D yesterday.
Someone suggest me to post it here and I might get
advice from this newsgroup
1/ What's good methodology in blocking certain IP
address? ACL or strictly filtering list,
Which one is better?
or some other effective ways also?
2/ We could
On Thu, 30 Sep 2004, Jeff Aitken wrote:
>
> On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
> > provider mistakenly advertises more routes than he should [lets say
> > specifics in case #1] you can flood your upstreams' routers with
> > specifics and potentially cause flapping or mem
Eric Germann wrote:
What I would to see (and have never researched in depth) is a way to apply
the blackhole routes on a community to port basis (i.e. we set up a specific
BGP community to filter mail, and that community goes to a route map that
kills only port 25, another community applies to a ma
Richard A Steenbergen wrote:
That said, it is still absolutely silly that we can't standardize on a
globally accepted blackhole community. A provider with many transit
upstreams who wishes to pass on blackhole routes for their customers could
quickly find themselves with some very messy configs
On Thu, Sep 30, 2004 at 04:47:30PM -0400, Mark Kasten wrote:
> Richard A Steenbergen wrote:
>
> >That said, it is still absolutely silly that we can't standardize on a
> >globally accepted blackhole community. A provider with many transit
> >upstreams who wishes to pass on blackhole routes for
On Thu, 30 Sep 2004, Richard A Steenbergen wrote:
> I'd have to disagree with you. While you and many other networks may be
> able to handle most DoS attacks without involving your upstreams, there
> are still plenty (the majority I would say) of networks who can't. In
> fact, the entire CONCE
>> If every BGP session in your network is protected by a max-prefix
>> limit, no matter who leaks, the damage will be limited and contained.
> true, also not univeral,
the problem with max-prefix is it does not say *which* prefixes.
so even if the drop-bgp stoopidity is corrected, you could end
On Thu, 30 Sep 2004, Randy Bush wrote:
> >> If every BGP session in your network is protected by a max-prefix
> >> limit, no matter who leaks, the damage will be limited and contained.
> > true, also not univeral,
>
> the problem with max-prefix is it does not say *which* prefixes.
> so even if
If every BGP session in your network is protected by a
max-prefix limit, no matter who leaks, the damage will be
limited and contained.
>>> true, also not univeral,
>> the problem with max-prefix is it does not say *which* prefixes.
>> so even if the drop-bgp stoopidity is corrected
28 matches
Mail list logo
