How do you prevent this from being used as a DOS attack by itself? --Dean On Tue, 8 Apr 2003, Peering wrote: > These days Remote trigger black hole routing is a very hot issue and each > provider is configuring the network individually. This technique is used to > mitigate the Denial of Service (DoS) Attack. We are also using this > technique and providing this service only to our customers. So if a customer > advertise prefix attached with a special community (for example ASN:9999) > then we take the following actions: > > - Set the next hop IP for this prefix to 192.0.2.1 > > - Already configured static route for 192.0.2.0/24 and the next hop is set > to Null0 > > ip route 192.0.2.0 255.255.255.0 null0 > > - Null0 interface is already configured to not acknowledge ICMP packets. > > interface null0 > no ip unreachable > > - Advertise this prefix to all other routers inside our backbone. > > Each Service provider has defined their own community for this purpose (due > to the unavailability of a well known community). Few service providers are > trying to exchange this community from other peering members other than > customers. > > I think we should have a well known community attribute for this purpose, > for example "DISCARD". This community attribute could be additive with other > exisiting well known communities (NOEXPORT, NOADVERTISE and INTERNET) to > control the advertisment of the prefix. > > Even though, this is never explicitly mentioned that well-known communities > trigger actions in BGP without further user configuration, we may or may not > choose to set an action for this community. An action could be defined to > discard the traffic. > > As I mentioned above this new community could be used with other well known > communites. For example if DISCARD and NOEXPORT attached with a prefix, it > means the traffic destined for that prefix will be discarded locally on that > router and will not get advertised to any External BGP peer. > > Comments ?????? > > Cheers, > Shahid Ajaz > > >