On Jan 30, 2008 3:54 PM, Deepak Jain <[EMAIL PROTECTED]> wrote: > > > This is prior art. (Assuming your hardware has a hardware blackhole (or > you have a little router sitting on the end of a circuit)) you adjust > your route-map that would deny the entry to set a community or next-hop > pointing to your blackhole location. > > Nowadays, most equipment can blackhole internally (to null0 say) at full > speed, so it isn't an issue. Just set your next hop to a good null0 > style location on route import and you are done for traffic destined to > those locations. >
...do uRPF-loose-mode and you kill FROM these locations as well... > For inbound traffic from those locations you would need to do policy > routing (because you are looking up on source). If you are trying to (uRPF loose-mode) > block SPAM or anything TCP related, you only need to block 1 direction > to end the conversation. > be cautious of 'synflooding' your internal hosts with this though... Null0 doesn't generate unreachables at packet-rate, but at a lower (1:1000 I believe on cisco by default) rate. > Sounds harsh, but hey, its your network. > wee! and for some extra fun, just append the bad-guy's ASN to your route announcements, force bgp loop-detection to kill the traffic on their end (presuming they don't default-route as well)
