[c-nsp] Sinkhole Routing
Amol Sapkal
amolsapkal at gmail.com
Wed Sep 29 09:34:41 EDT 2004
Let me explain you guys my current setup.
LAN--------\
\ ___
\
/ \ exit int
DMZ-------- |FIREWALL|---|SWITCH|---|ROUTER 7513|----- UPSTREAM ROUTER
/ /
\ ____ / exit int
/ /
DMZ-------/ LAN2
Now, I got an access-list (which is pretty long) that blocks most of
the well known attack ports. But each time I see an IP causing a
flood, I need to edit the access-list and keep it getting longer.
IMHO, even if I have an access-list in place, my core router (7513) is
still going to process the attack packets. I was looking at something
like this:
1. Deploying a linux based system somewhere on the switch (or between
the swithc and the router) which can act like an IPS.
2. Deploy a low-end 2600 on the switch to actually protect the traffic inflow.
Is there any way I can let the core router switch the spurious traffic
and still be able to route it to a box or 2600 (a sinkhole) residing
on the switch?
I am wary of keeping my access-list growing and there seems to be
problem in implementing service policies on my exit interfaces.
Regds,
Amol
On Wed, 29 Sep 2004 08:09:25 -0400, Wojtek Zlobicki
<wojtek.zlobicki at gmail.com> wrote:
> This method, often called blackhole, allows for a filtering load to be
> distributed. Assuming a distributed DoS attack, when traffic is
> entering your upstream providers network at multiple points, creating
> a blackhole community allows for all traffic with a particular tag
> (666 is popular) to be null routed. Each and every BGP speaking
> router at your provider will null route any traffic based on a given
> community, this way , when attacking hosts are entering a network at
> 50 points, the load is distributed, no single router is asked to
> filter megabits/gigabits of traffic. Most providers allow their
> customers to send a route update with a blackhole community allows for
> traffic to one host to be null routed without having to call support.
> Keep in mind that this is applied upstream and not really at your
> router. Blackholes are a last resort, they are great for hosts that
> are expendable (a downstream customers DSL connection) but useless
> when the target is your primary mail/web server. Most providers will
> blackhole a host over applying ACLs (to save CPU resources).
>
> E.G.
>
> By whatever method, you know what host 1.6.6.6 is being attacked. You
> send a route update to your service provider (for 1.6.6.6/32 ) with
> their blackhole community string. Without any interaction of their
> network teams, this route gets distributed throughout their network.
> Note that this community is generally non transient, aka it does not
> get passed to any of your providers external BGP peers. Depending on
> from whom you purchase transit, and the strength of the attack, your
> upstream may need to contact their upstreams to blackhole the traffic.
>
>
>
>
> On Wed, 29 Sep 2004 17:18:33 +0530, Amol Sapkal <amolsapkal at gmail.com> wrote:
> > Hi All,
> >
> > A good fellow on this list suggested me 'Sinkhole Routing' as a
> > solution to DoS attacks. I checked with google and it indeed seems
> > promising.
> > Anyone who has implemented it in their networks? I would be interested
> > to do it too, as long as I dont end up investing in huge hardware.
> >
> > --
> > Warm Regds,
> >
> > Amol Sapkal
> >
> > --------------------------------------------------------------------
> > An eye for an eye makes the whole world blind
> > - Mahatma Gandhi
> > --------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> --
> ----------------------------------------
> wojtek.zlobicki at gmail.com
>
--
Warm Regds,
Amol Sapkal
--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------
More information about the cisco-nsp
mailing list