[c-nsp] temporary static routes
Brandon Ewing
nicotine at warningg.com
Tue Feb 10 09:50:06 EST 2009
On Tue, Jan 06, 2009 at 01:29:50PM -0500, Jeff Kell wrote:
>
> Of course the ultimate solution would be a BGP-peering feed of IPs to
> null that also did the timeouts for you, but as far as I know, that's
> still the great pie in the sky :-)
>
clogin/RANCID + Quagga + crontab + <INSERT YOUR FAVORITE LANGUAGE HERE> +
Apache = BGP nullroute server with self-expiry.
I use it regularly to allow non-network personnel to temporarily nullroute
troublesome IPs while I sleep.
Additional, it's put together in such a way that I can leverage flowstats
top talker reports to have limited success blocking non-spoofed DDoS attacks
at the network edge via loose-mode RPF. Identify the hosts doing an order of
magnitude more [packets | bits | connections] than the rest of your traffic
stream, pipe it through awk, and feed it into your nullroute machine.
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090210/1668711f/attachment.bin>
More information about the cisco-nsp
mailing list