[isp-bgp] Re: Suggested solution to prevent my prefixes from beingsuppressed (fwd)

[Ton Schoenmakers <ton-s-lijst@...>]

mmostafa@... wrote:
> Dear colleagues ,
> we are an ISP served by two international links
> from the same international ISP ( Dual homed AS ) .
> Our inbound traffic policy is to use one link as the main link and the
> other as a backup , implemented by advertising our prefixes which is 
> registered to my organization with two diffrenet communities and our ISP 
> manuplate the downstream traffic via Local prefernce .
> We are suffering from a sequence of DDOS attacks targeting our ips , 
> causing one of the two running BGP sessions with our international 
> provider to flap 3 or 4 times  each time we are subjected to such 
> attacks that results in a massive degradation in our downstream traffic 
> due to route flap damping .
> I have a suggested soltion that i will be gatefull if you advise me if 
> there is any reasons makes it unfeasible or if there are any drawbacks 
> which is :
> 1-we advertise 3 ip blocks to our international ISP through both links , 
> i will break each block into 2 more specific contigouse components , 
> hence my international ISP edge routers will have 2 copies of 6 more 
> specific compnents with diffrent LP , then i will ask my ISP to 
> aggregate them back to the original 3 bloocks and suppress more specific 
> components plus keeping the AS path information as its in form of AS-SET .
> Your advise is highly appreciated
> Best Regards
> Mostafa Ali
>         _____________________________________________________
Mostafa,

DoS and DDoS attacks are not difficult to avert on the (BGP) router level.  But it needs a little more detail.  You don't have to give that here, but general rules are:

Dou you have a single IP attacked, or the whole prefix that you advertise? 
This is important, because if it is a single IP, you simply ask your ISP to block traffic to this IP until the attack is over. All ISP's will (read: should) do that for you, and some will even be capable to track down the real source of the attack, even when spoofed (UUNet has implemented a wonderful tool for this. It is capable of tracking and blocking malicious traffic in 5 minutes on their backbone network (AS701) ).
This will leave the attacked IP useless, but will save your links from being overloaded to the point that BGP will stop working. It will kill one IP, but leave the other customers up-and-running.
If you block it yourself at your routers (firewalls), it is too late.  They have already consumed your bandwith.  Go for an OC3, I have not seen DoS attacks that could saturate those babies.....

If it is a scan on ALL of your IP's, you will have to look at ports and protocols that are  used in the DoS attack to determine your next line of defense.  
Look at the tools for different platforms on http/:www.cymru.com for more specific info.

Ton Schoenmakers

       _____________________________________________________

       ** ISPCON Fall 2004 - Santa Clara Convention Center **
        ** The ISP and WISP event - http://www.ispcon.com **
** Fill your brain.  Meet the people.  Join the industry gathering. **
      ________________________________________________________






To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.