|
Thread Index Re: [Fwd: Re: Application Note: Securing BGP on Juniper Routers]
Iljitsch van Beijnum wrote: > > Ok, what I'm missing here is the final "permit ip any any" (or similar) > line. If this one has a few million matches, it's clearly worthwhile to do > this. But if it's many billions, then you're only catching one packet in a > thousand or so. Actually, I screened that out because company info is considered confidential. The point is, that these ACLs stay at a zero count for a long time, and suddenly increase for all reserved networks. It's easy AND non-disruptive, when an ACL like this is in place to just clear the counters and observe the ACL. Since we web-host a few "hacker-favorites" we have to clear counters regularly. > > Well, you only get rid of about a third of the randomly spoofed packets, > but I guess that's better than nothing. You cannot rely on any BGP peer to filter all unwanted traffic. The golden rule in the real world is: "Do not trust anyone, filter yourself" > > As long as we're talking about anti-(D)DoS measures, tell me what you > think of http://www.bgpexpert.com/antidos.php OK, here are my remarks.... (and if you update your webpage, be sure to include credentials...) The 'Destination Address Filtering' has been in use for more than a year at UUNet (->MCI, ->Worldcom, ->???) and has been proven to _me_ to be very successful. A year ago,just after a US spy plane was forced to land in Hainan, they shut down a DoS attack for me within 5 minutes, locating the source an ISP in China, while another 'Major ISP' still needs 3 months to track and shut down malicious traffic. I cannot locate the document that describes the exact technique they use this very moment, but as I remember it was at least 2 years old. I must check my archives, since I forwarded it some time ago to that other 'Major ISP'. The Unicast RPF method will only work in a single router / single ISP situation (and who wants to be in that situation nowadays?) since it does not allow for split traffic paths. Similar for TCP Intercept, another Cisco feature that relies on one path in, one path out. These features are nice for SOHO-users like you and me, but hardly for companies that do 'business on the web' and require redundancy. Ton Schoenmakers
Thread Index |
|
