[nsp-sec] DDoS-RS and LG visibility
Tim Wilde
twilde at cymru.com
Mon Dec 13 14:31:39 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/13/2010 6:16 AM, Pekka Savola wrote:
> The page says "In addition, if you have a looking glass server within
> your network please make sure to filter DDoS routes from appearing on it
> as well."
>
> We're not using the service but are thinking about doing so. However, I
> do not see a way to meet the requirement above reliably. How have you
> that are using it done it?
>
> (This could be easy if the output from LG was a single line per route
> and you could grep them out, but this is not the case.)
Pekka & Team,
Caveat emptor: I am no routing expert, I don't even play one on TV. :)
My understanding is that you should be able to use some appropriate
route maps to keep the routes from the DDoS-RS tagged with some type of
community that has meaning to you within your IGP - rather than making
them identical to any other null routes you may have, keep them separate
this way, and then in the looking glass you can simply discard any
routes tagged with that community (or on your peering sessions with the
looking glass from other routers, filter out those routes from even
being sent). This should (in my admittedly limited understanding of
these things :)) relatively seamlessly and simply keep those routes out
of the public eye.
My apologies if you've already gotten another (and likely better) answer
from someone who's actually doing this, off-list, hopefully this is at
least somewhat helpful!
Best regards,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0GdJoACgkQluRbRini9thgVwCeJukaJATD72ci+cj4tHmVQGf6
5aUAn1Ys/sfiYrnAVROsFLR3PrBqS4iG
=2ABa
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list