[j-nsp] [EXT] Re: Decoding DDOS messages

[Saku Ytti]

On Wed, 18 Mar 2020 at 18:28, Chuck Anderson <cra at wpi.edu> wrote:

> term bgp-inbound {
>     from {
>         source-prefix-list {
>             bgp-neighbors-v4;
>         }
>         protocol tcp;
>         source-port 1024-65535;
This is immaterial, you don't care what this SPORT is. Be liberal.

> term bgp-replies {
>     from {
>         source-prefix-list {
>             bgp-neighbors-v4;
>         }
>         protocol tcp;
>         source-port bgp;
>         destination-port 1024-65535;
This you care very much, and ephemeral range in your device is
49125-65535, 1024-49124 could have something listening in them.



If you are in position where you only have customers and RR, no peers
or anything else where there is no 'owner'. You should set your
customer BGP to passive, so customer _always_ starts the BGP, you will
never try to start it. Equally you should set your RR to passive, so
clients always connect to RR,  RR never.
This will allow greatly simplified filters for BGP, much safer, as
well as trivial way to police iBGP and eBGP separately, in times when
dddos-protection was not available.

-- 
  ++ytti