[c-nsp] Sinkhole Routing

Amol Sapkal amolsapkal at gmail.com
Wed Sep 29 09:34:41 EDT 2004 

Let me explain you guys my current setup.


LAN--------\
                \                                                           ___
                  \                                                   
   /        \ exit int
DMZ-------- |FIREWALL|---|SWITCH|---|ROUTER 7513|----- UPSTREAM ROUTER
                  /                          /                        
  \ ____ / exit int
                /                          /
DMZ-------/                         LAN2



Now, I got an access-list (which is pretty long) that blocks most of
the well known attack ports. But each time I see an IP causing a
flood, I need to edit the access-list and keep it getting longer.

IMHO, even if I have an access-list in place, my core router (7513) is
still going to process the attack packets. I was looking at something
like this:
1. Deploying a linux based system somewhere on the switch (or between
the swithc and the router) which can act like an IPS.
2. Deploy a low-end 2600 on the switch to actually protect the traffic inflow.

Is there any way I can let the core router switch the spurious traffic
and still be able to route it to a box or 2600 (a sinkhole) residing
on the switch?

I am wary of keeping my access-list growing and there seems to be
problem in implementing service policies on my exit interfaces.



Regds,
Amol


On Wed, 29 Sep 2004 08:09:25 -0400, Wojtek Zlobicki
<wojtek.zlobicki at gmail.com> wrote:
> This method, often called blackhole, allows for a filtering load to be
> distributed.  Assuming a distributed DoS attack, when traffic is
> entering your upstream providers network at multiple points, creating
> a blackhole community allows for all traffic with a particular tag
> (666 is popular) to be null routed.  Each and every BGP speaking
> router at your provider will null route any traffic based on a given
> community, this way , when attacking hosts are entering a network at
> 50 points, the load is distributed, no single router is asked to
> filter megabits/gigabits of traffic.  Most providers allow their
> customers to send a route update with a blackhole community allows for
> traffic to one host to be null routed without having to call support.
> Keep in mind that this is applied upstream and not really at your
> router. Blackholes are a last resort, they are great for hosts that
> are expendable (a downstream customers DSL connection) but useless
> when the target is your primary mail/web server.  Most providers will
> blackhole a host over applying ACLs (to save CPU resources).
> 
> E.G.
> 
> By whatever method, you know what host 1.6.6.6 is being attacked.  You
> send a route update to your service provider (for 1.6.6.6/32 ) with
> their blackhole community string.  Without any interaction of their
> network teams, this route gets distributed throughout their network.
> Note that this community is generally non transient, aka  it does not
> get passed to any of your providers external BGP peers.  Depending on
> from whom you purchase transit, and the strength of the attack, your
> upstream may need to contact their upstreams to blackhole the traffic.
> 
> 
> 
> 
> On Wed, 29 Sep 2004 17:18:33 +0530, Amol Sapkal <amolsapkal at gmail.com> wrote:
> > Hi All,
> >
> > A good fellow on this list suggested me 'Sinkhole Routing' as a
> > solution to DoS attacks. I checked with google and it indeed seems
> > promising.
> > Anyone who has implemented it in their networks? I would be interested
> > to do it too, as long as I dont end up investing in huge hardware.
> >
> > --
> > Warm Regds,
> >
> > Amol Sapkal
> >
> > --------------------------------------------------------------------
> > An eye for an eye makes the whole world blind
> > - Mahatma Gandhi
> > --------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> --
> ----------------------------------------
> wojtek.zlobicki at gmail.com
> 



-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------

More information about the cisco-nsp mailing list