Roland Dobbins wrote: > > On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote: > >> 2. is there a standard way to push a null-route on the attackers >> source IP upstream? > > Sure - if you apply loose-check uRPF (and/or strict-check, when you can > do so) on Cisco or Juniper routers, you can combine that with the > blackhole to give you a source-based remotely-triggered blackhole, or > S/RTBH. You can do this at your edges, and you *may* be able to arrange > it with other networks with whom you connect (i.e., scope limited to > your link with them).
Warren Kumari and other collaborated on a document to describe how this is normally done: http://tools.ietf.org/html/draft-ietf-opsec-blackhole-urpf-04 Coordination with your upstreams before you need this is important. > Combine that with the other standard architectural and hardening BCPs, > along with the DNS BCPs, and you'll be much better prepared to detect, > classify, traceback, and mitigate attacks. The key is to ensure you're > making use of hardware-based routers which can handle high pps. > > ----------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > >
