[j-nsp] blackhole routing - RPF

Rafal Szarecki (WA/EPO) rafal.szarecki at ericsson.com
Thu Jul 14 04:16:00 EDT 2005


Hi,

The RPF is rather ant-spoofing technology thyen DoS stopping.
 IMHO use of loose RPF is rather useless in ISP enviroment, even without 0/0. The bed guy can always use as source some IP address existing in Internet...

Strict RPF is much better, as long as external network has only one way to internet - link to your network.

In most sofisticated cases - multi-homed customers/peers, to prevent address spoofing Firewall Filters can be only option. (topology and design depend)

And to stop DoS (and dDoS) attack one of technics is black-hole routing of DESTINATION (victim). This of course effectivly turn off attacked host from network, but protect capacity of links and service for all other hosts. Theis technology requires to instal /32 blachole as close to attack source as possinle - on all external-facing interfaces. You can use BGP to automaticaly propagate list of host-routes to be black-holed. If I remember corectly this is called "community-base filtering".
Anyway to use this technique you has to know 2 things: 1) the attack is ongoinga, and 2) victim's IP address. To has this knowlege use of traffic sampling, J-flow export and on-line flow analysis is one of possible way. But then we start to talk about OSS system...

Rafal Jan Szarecki JNCIP#135

Senior Consultant - Datacom Networks
Ericsson Poland EPO/S/D




> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Wei Keong
> Sent: Wednesday, July 13, 2005 12:58 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] blackhole routing - RPF
> 
> 
> Hi,
> 
> I understand that one of the ways to stop DOS attack is to 
> blackhole route 
> based on source address, by using RPF (loose) and null route.
> 
> I am not very sure about the behaviour of RPF (loose) in 
> juniper routers, 
> especially if the router has a default route.
> 
> http://www.juniper.net/techpubs/software/junos/junos61/swconfi
> g61-interfaces/html/interfaces-family-config21.html#1066802
> 
> Has anyone tried to do this before? Does it work as expected?
> 
> Thanks,
> Wei Keong
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list