From: Christopher Morrow (no email)
Date: Thu Jan 31 2008 - 00:21:57 EST
On Jan 30, 2008 3:54 PM, Deepak Jain <> wrote:
>
>
> This is prior art. (Assuming your hardware has a hardware blackhole (or
> you have a little router sitting on the end of a circuit)) you adjust
> your route-map that would deny the entry to set a community or next-hop
> pointing to your blackhole location.
>
> Nowadays, most equipment can blackhole internally (to null0 say) at full
> speed, so it isn't an issue. Just set your next hop to a good null0
> style location on route import and you are done for traffic destined to
> those locations.
>
...do uRPF-loose-mode and you kill FROM these locations as well...
> For inbound traffic from those locations you would need to do policy
> routing (because you are looking up on source). If you are trying to
(uRPF loose-mode)
> block SPAM or anything TCP related, you only need to block 1 direction
> to end the conversation.
>
be cautious of 'synflooding' your internal hosts with this though...
Null0 doesn't generate unreachables at packet-rate, but at a lower
(1:1000 I believe on cisco by default) rate.
> Sounds harsh, but hey, its your network.
>
wee! and for some extra fun, just append the bad-guy's ASN to your
route announcements, force bgp loop-detection to kill the traffic on
their end (presuming they don't default-route as well)
|
|
|