Re: RE: BGP Update Source

From: James (james@towardex.com)
Date: Tue Aug 10 2004 - 14:46:16 GMT-3

• Next message: tycampbell@comcast.net: "RE: Regarding "ip pim nbma-mode""
• Previous message: Edwards, Andrew M: "RE: Regarding "ip pim nbma-mode""
• Maybe in reply to: Brian McGahan: "RE: BGP Update Source"
• Next in thread: James: "Re: BGP Update Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, Aug 10, 2004 at 10:38:52AM -0400, Jongsoo.Kim@Intelsat.com wrote:
> OK Wow. I never thought about this behavior even though I've been touched c
> and j for such a long time.( cause I have never used it). Thanks for this
> info as I learned something new about bgp next-hop behavior.

No problem, glad to be able to assist :)

>
> But regarding your previous email to explain a method of preventing DDOS
> attack by changing next-hop and no-export,
> My upstream are UUnet and Level 3 connecting about 10 Gige links or so. But
> in our case, we are just using community.
> So we are using some special community tag based on which these L3 and Uunet
> has some policy pre-set to blackhole the matches.
>
> Is there some reason why you don't just use community to prevent DOS?

Unfortunately the upstream I got doesn't currently support auto-null community
as others do, even though the sales rep keeps telling us it is in the works.
But while they don't have a community for nullrouting, they still have followed
the NANOG presentation of placing 192.0.2.0/24(IANA-TESTNET) into Null0 on major
core routers via static route. So I suppose it is "in the works" heh
So I just called couple buddies I know at the provisioning group to change the
session to multihop and allow their prefix-list to hear up to /32. Then once
a prefix on our network is set with null community, it blackholes on our routers
then border router converts to nexthop:192.0.2.1,no-export on its way out to
upstream neighbor which then gets blackholed at upstream point as well.

Anyhow though, I think this thread is getting a bit off-topic in respect to
interest of the most people on this list. Feel free to follow up to me off-list
if you'd like any more information :-)

Thanks,
-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

• Next message: tycampbell@comcast.net: "RE: Regarding "ip pim nbma-mode""
• Previous message: Edwards, Andrew M: "RE: Regarding "ip pim nbma-mode""
• Maybe in reply to: Brian McGahan: "RE: BGP Update Source"
• Next in thread: James: "Re: BGP Update Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:36 GMT-3