[c-nsp] Sinkhole Routing

Amol Sapkal amolsapkal at gmail.com
Wed Sep 29 09:36:35 EDT 2004 

The diagram messed up, so resending it.


LAN--------\
                \                                             ___
                  \                                         /        \ exit
DMZ-------- |FIREWALL|---|SWITCH|---|7513|----- UPSTREAM
                  /                          /             \ ____ / exit
                /                          /
DMZ-------/                         LAN2



On Wed, 29 Sep 2004 19:04:41 +0530, Amol Sapkal <amolsapkal at gmail.com> wrote:
> Let me explain you guys my current setup.
> 
> LAN--------\
>                 \                                             ___
>                   \                                         /        \ exit
> DMZ-------- |FIREWALL|---|SWITCH|---|7513|----- UPSTREAM
>                   /                          /             \ ____ / exit
>                 /                          /
> DMZ-------/                         LAN2
> 
> Now, I got an access-list (which is pretty long) that blocks most of
> the well known attack ports. But each time I see an IP causing a
> flood, I need to edit the access-list and keep it getting longer.
> 
> IMHO, even if I have an access-list in place, my core router (7513) is
> still going to process the attack packets. I was looking at something
> like this:
> 1. Deploying a linux based system somewhere on the switch (or between
> the swithc and the router) which can act like an IPS.
> 2. Deploy a low-end 2600 on the switch to actually protect the traffic inflow.
> 
> Is there any way I can let the core router switch the spurious traffic
> and still be able to route it to a box or 2600 (a sinkhole) residing
> on the switch?
> 
> I am wary of keeping my access-list growing and there seems to be
> problem in implementing service policies on my exit interfaces.
> 
> Regds,
> Amol
> 
> 
> 
> 
> On Wed, 29 Sep 2004 08:09:25 -0400, Wojtek Zlobicki
> <wojtek.zlobicki at gmail.com> wrote:
> > This method, often called blackhole, allows for a filtering load to be
> > distributed.  Assuming a distributed DoS attack, when traffic is
> > entering your upstream providers network at multiple points, creating
> > a blackhole community allows for all traffic with a particular tag
> > (666 is popular) to be null routed.  Each and every BGP speaking
> > router at your provider will null route any traffic based on a given
> > community, this way , when attacking hosts are entering a network at
> > 50 points, the load is distributed, no single router is asked to
> > filter megabits/gigabits of traffic.  Most providers allow their
> > customers to send a route update with a blackhole community allows for
> > traffic to one host to be null routed without having to call support.
> > Keep in mind that this is applied upstream and not really at your
> > router. Blackholes are a last resort, they are great for hosts that
> > are expendable (a downstream customers DSL connection) but useless
> > when the target is your primary mail/web server.  Most providers will
> > blackhole a host over applying ACLs (to save CPU resources).
> >
> > E.G.
> >
> > By whatever method, you know what host 1.6.6.6 is being attacked.  You
> > send a route update to your service provider (for 1.6.6.6/32 ) with
> > their blackhole community string.  Without any interaction of their
> > network teams, this route gets distributed throughout their network.
> > Note that this community is generally non transient, aka  it does not
> > get passed to any of your providers external BGP peers.  Depending on
> > from whom you purchase transit, and the strength of the attack, your
> > upstream may need to contact their upstreams to blackhole the traffic.
> >
> >
> >
> >
> > On Wed, 29 Sep 2004 17:18:33 +0530, Amol Sapkal <amolsapkal at gmail.com> wrote:
> > > Hi All,
> > >
> > > A good fellow on this list suggested me 'Sinkhole Routing' as a
> > > solution to DoS attacks. I checked with google and it indeed seems
> > > promising.
> > > Anyone who has implemented it in their networks? I would be interested
> > > to do it too, as long as I dont end up investing in huge hardware.
> > >
> > > --
> > > Warm Regds,
> > >
> > > Amol Sapkal
> > >
> > > --------------------------------------------------------------------
> > > An eye for an eye makes the whole world blind
> > > - Mahatma Gandhi
> > > --------------------------------------------------------------------
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> >
> > --
> > ----------------------------------------
> > wojtek.zlobicki at gmail.com
> >
> 
> 
> 
> 
> --
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> 



-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------

More information about the cisco-nsp mailing list