From: Alex Pilosov (no email)
Date: Sun Feb 03 2008 - 04:13:38 EST
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote:
> I sincerely doubt that any backbone provider will filter at a /32. That
> means they have to check EVERY PACKET AT FULL IP DEST against your AS
> advertised routes. Since most backbone routers build circuits at the /18
> and above mask on MPLS, just to keep up with traffic, I sincerely doubt
> they are going to expend the CPU, and potentially RAM, never mind prefix
> table entries (you know, those things we're running out of) to have a
> full table of every host that every hoster says is being DDOSed. In this
> case, there's a clear economic cost, for no economic benefit (they do
> actually make money delivering that DDOS traffic).
"most backbone routers build circuits at the /18 and above mask on MPLS" -
that part is seriously funny.
However:
a) Yes, if such proposal was to be widely accepted, it would generate more
entries in RIB/FIB.
b) However, if this service was actually operated by IX's, the limits to
prevent "too much" growth could be applied centrally (max-prefixes per
ASN, automatic removal of those routes after X days, unless manually
requested by host, etc).
c) Since only your peers will have those :666 entries, it is less "route
growth" than than the alternative of announcing the affected block as /24
(which you seem to suggest).
> A better approach would be to move your DDOS target and all the rest of
> its co-subnet hosts into a different /24, update the DNS RRs, and cease
> advertising that /24.
That...is...perverted. Not to mention, you can't "cease advertising /24".
what you would need to do is to deaggregate your (say) /20 into /21, /22,
/23 and /24. That's 3 extra entries in FIB for everyone in the world to
carry.
> If you really want to be nice, they don't need to renumber, you just
> need to stop advertising the target subnet, change the DNS RR's and NAT
> at your borders, if you control DNS and IP. The added benefit of this is
> that you can swap them back when the DDOs is over, and they get to stay
> up while it's happening. All you need to do this is some spare, never to
> be allocated, IP space.
That...is...perverted.
-alex [not speaking as mlc anything]
|
|
|