[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

Bill Wichers billw at waveform.net
Thu Jun 9 22:50:41 EDT 2005


> What are opinions of say, 2xN Mbps rate-limited ethernet connections
> (1 per border router, 2 routers, through different physical paths),
> starting out at 10Mbps, burstable up to 100Mbps... in a
> carrier-neutral building with 42 carriers?

I have personally seen a 10Mb/s Ethernet link get completely wiped out by
a DDoS. The link filled up completely, and the BGP session would drop,
then the traffic would stop, the BGP session would come back, the traffic
would come back, then the BGP sessiong would drop.... Then I get really
busy when the network gets damped for that carrier ;-) Not fun. We haven't
see this problem on burstable 100Mb/s circuits, but I have heard of DDoS
attacks of more than 100Mb/s, but they seem to be rare.

> I'm evaluating http://www.dpte.net, and they offer a bundle of the
> above connectivity to the 42 carriers (they call it blending?), along
> with a 10x10 ft cage ... it would seem to make data connections to a
> standby site (t1-OC-x, whatever I need to scale up to) very easy to
> get, and get very quickly.

Never heard of them myself, but there are a lot of tier-2's out there that
can do a pretty good job at a good price. I would certainly look into
their offerings, especially if they are friendly and flexible and will
help you start small and upgrade incrementally. Burstable connections will
really help you handle attacks without a large cost if you can get large
maximum capacities and a small monthly revenue commitment.

> How does BGP peering work in such an environment, for an end-user AS?

That's a pretty big question... Basically you take a feed of routes from
each of your peers, and your router then can make decisions as to the
optimal path to a given site. The same basically works in reverse too,
except that you advertise your block to your various peers. If one link
goes down, everything uses the remaining link(s) and you maintain
connectivity to the general Internet. There have been several threads
recently on this list about much more detailed configurations. You'll need
an AS, and at least a /24 netblock to run BGP, along with a router that
can handle a full view (ideally) from each peer you plan to link into.

     -Bill

*****************************
Waveform Technology
UNIX Systems Administrator




More information about the cisco-nsp mailing list