[j-nsp] Bandwidth aware using BGP on ISP transit

Alexander Arseniev arseniev at btinternet.com
Sun Jan 24 15:34:53 EST 2016


Hello,
The problem lies in how do You make the attacker to prefer one of the 
links but the rest of the world to prefer all but the one preferred by 
attacker.
I imagine this could be done if You know the attacker's source ASN:
- do not prepend Your announcements out of the link picked by attacker
- prepend Your announcements out of ALL other links with attacker's ASN.
Use JUNOS "as-path-expand" 
https://www.juniper.net/documentation/en_US/junos14.1/topics/usage-guidelines/policy-adding-as-numbers-to-bgp-as-paths.html 

- do not make attacker's ASN the rightmost one, this will break BGP 
route origin verification, prepend like below:
^<Your own ASN><attacker's ASN, possibly multiple times><Your own ASN>$
This approach of course will affect the legit traffic from attacker's 
source ASN.
- if there are multiple attacker's source ASNs then this becomes 
progressively difficult, of course.
HTH
Thx
Alex


On 24/01/2016 10:35, tim tiriche wrote:
> Hello,
>
> How do big companies manage traffic on ISP links automatically.
>
> For eg: I have 10 ISP/Transit links and all announcing the same prefixes.
>
> During a DDOS attack, one of the ISP link got saturated.
>
> I would like to be able to do something if bandwidth exceeds 50% use other
> links.
>
> In MPLS, we can leverage RSVP subscription.  Is there a way to automate
> this for Transit peers?
>
> In the past, i have used aspath for certain prefixes which is slow and does
> not help for short lived DDOS attacks.
>
> Thanks!
> -tim
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list