How do you prevent this from being used as a DOS attack by itself?
--Dean
On Tue, 8 Apr 2003, Peering wrote:
These days Remote trigger black hole routing is a very hot issue and each
provider is configuring the network individually. This technique is used to
mitigate the Denial of Service (DoS) Attack. We are also using this
technique and providing this service only to our customers. So if a customer
advertise prefix attached with a special community (for example ASN:9999)
then we take the following actions:
- Set the next hop IP for this prefix to 192.0.2.1
- Already configured static route for 192.0.2.0/24 and the next hop is set
to Null0
ip route 192.0.2.0 255.255.255.0 null0
- Null0 interface is already configured to not acknowledge ICMP packets.
interface null0
no ip unreachable
- Advertise this prefix to all other routers inside our backbone.
Each Service provider has defined their own community for this purpose (due
to the unavailability of a well known community). Few service providers are
trying to exchange this community from other peering members other than
customers.
I think we should have a well known community attribute for this purpose,
for example "DISCARD". This community attribute could be additive with other
exisiting well known communities (NOEXPORT, NOADVERTISE and INTERNET) to
control the advertisment of the prefix.
Even though, this is never explicitly mentioned that well-known communities
trigger actions in BGP without further user configuration, we may or may not
choose to set an action for this community. An action could be defined to
discard the traffic.
As I mentioned above this new community could be used with other well known
communites. For example if DISCARD and NOEXPORT attached with a prefix, it
means the traffic destined for that prefix will be discarded locally on that
router and will not get advertised to any External BGP peer.
Comments ??????
Cheers,
Shahid Ajaz