This is a 20+ year old solution. Ugly because you will block good traffic and on your effort to protect your network you will block legitimate traffic too (satisfying the attacker) but most upstream providers will give you a community to use (Cogent is a notable exception) and tag the prefix under attack so that the attack will not reach your network. Sadly most IXs after 20 years they still don't understand the need for this community but at least someone has written an rfc so that all of us use the same community. At least we made some progress there...
-----Original Message----- From: NANOG <nanog-boun...@nanog.org> On Behalf Of Paul S. Sent: Sunday, February 3, 2019 11:08 PM To: nanog@nanog.org Subject: [EXTERNAL] Re: RTBH no_export +1, exactly what we did. I also recommend implementing per-upstream/region blackhole communities (so your users can choose who to blackhole as they see fit.) Often time, DDoS traffic comes from regions that do not intersect with legitimate traffic. On 2/4/2019 03:15 午前, Tom Hill wrote: > On 31/01/2019 20:17, Nick Hilliard wrote: >> you should implement a different community for upstream blackholing. >> This should be stripped at your upstream links and replaced with the >> provider's RTBH community. Your provider will then handle export >> restrictions as they see fit. > > This works wonderfully, from past experience. :) > This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
