[j-nsp] blackhole routing - RPF

Wei Keong chooweikeong at pacific.net.sg
Wed Jul 20 04:07:42 EDT 2005


Hi,

Thanks for sharing the info.

Yes, i know about the remote-triggered blackhole (destination/victim) 
using BGP community.

i am now exploring how to blackhole the source/attacker using RPF. 
Understand that Junos is not supporting 'Loose RPF ignoring default 
routes' (RFC3704).

Anyone from Juniper likes to clarify this? Thanks.

Regards,
Wei Keong



On Wed, 20 Jul 2005, Steinar Torsvik wrote:

> Hi,
>
> Rafal Szarecki (WA/EPO) wrote:
>
>> And to stop DoS (and dDoS) attack one of technics is black-hole routing of 
> DESTINATION (victim). This of course effectivly turn off attacked host from 
> network, but protect capacity of links and service for all other hosts. Theis 
> technology requires to instal /32 blachole as close to attack source as 
> possinle - on all external-facing interfaces. You can use BGP to automaticaly 
> propagate list of host-routes to be black-holed. If I remember corectly this 
> is called "community-base filtering".
>> Anyway to use this technique you has to know 2 things: 1) the attack is 
> ongoinga, and 2) victim's IP address. To has this knowlege use of traffic 
> sampling, J-flow export and on-line flow analysis is one of possible way. But 
> then we start to talk about OSS system...
>
> Configuration example can be found here: 
> http://www.secsup.org/CustomerBlackHole/
>
> You can often find the community number listed in the RIPE database if you do 
> a whois lookup for your ISPs AS number, for other regions of the world not 
> supported by RIPE i have no experience :-). If you can not find it you should 
> contact them, most of the larger ISPs (at least from my minor experience from 
> the few present in Norway :-) ) supports blackholing today.
>
> -- 
> Regards,
>
> Steinar Torsvik
> Fasthost AS
> Tlf: +47 22 00 88 50
> Mob: +47 99 02 99 88
>



More information about the juniper-nsp mailing list