On Tuesday, Apr 8, 2003, at 18:26 Canada/Eastern, Dean Anderson wrote:
How do you prevent this from being used as a DOS attack by itself?
If you filter prefixes sent to your network from customers, and ensure
that the next-hop-blackhole policy can only happen on a customer
session, then the only DoS that can happen is by a customer on
themselves. The utility of such a mechanism for a customer who is
paying for delivered bandwidth is that inbound traffic directed at a
particular customer address or netblock can be discarded before it gets
close to the pipe over which the dollar meter runs.
Shahid: you can make this more effective in your network by configuring
the null interface on every edge router, and not just in one place.
That way traffic will be discarded as early as possible (you might also
consider setting no-export on the "blackhole me" prefixes sent by
customers to avoid accidentally leaking them to peers).
It is difficult to see how such a well-known community could be
implemented by vendors without also specifying a well-known "discard"
next-hop address. In the absense of any other configuration by a
network operator, what do you propose a router should do when it
receives a prefix with this community?
Joe