nanog mailing list archives
Re: [EXTERNAL] Re: RTBH no_export
From: i3D.net - Martijn Schmidt <martijnschmidt () i3d net>
Date: Mon, 4 Feb 2019 09:01:20 +0000
Cogent does let you use RTBH, but on a separate BGP session to a blackhole server. So it's a bit more hassle to set it up policy-wise, because it deviates from the standard. Same story for "former GlobalCrossing", now CenturyLink's AS3549, which is still used for LATAM and Asia. Best regards, Martijn On 2/4/19 9:39 AM, Nikos Leontsinis wrote:
This is a 20+ year old solution. Ugly because you will block good traffic and on your effort to protect your network you will block legitimate traffic too (satisfying the attacker) but most upstream providers will give you a community to use (Cogent is a notable exception) and tag the prefix under attack so that the attack will not reach your network. Sadly most IXs after 20 years they still don't understand the need for this community but at least someone has written an rfc so that all of us use the same community. At least we made some progress there... -----Original Message----- From: NANOG <nanog-bounces () nanog org> On Behalf Of Paul S. Sent: Sunday, February 3, 2019 11:08 PM To: nanog () nanog org Subject: [EXTERNAL] Re: RTBH no_export +1, exactly what we did. I also recommend implementing per-upstream/region blackhole communities (so your users can choose who to blackhole as they see fit.) Often time, DDoS traffic comes from regions that do not intersect with legitimate traffic. On 2/4/2019 03:15 午前, Tom Hill wrote:On 31/01/2019 20:17, Nick Hilliard wrote:you should implement a different community for upstream blackholing. This should be stripped at your upstream links and replaced with the provider's RTBH community. Your provider will then handle export restrictions as they see fit.This works wonderfully, from past experience. :)This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
Current thread:
- Re: RTBH no_export Randy Bush (Feb 01)
- <Possible follow-ups>
- Re: RTBH no_export Tom Hill (Feb 03)
- Re: RTBH no_export Paul S. (Feb 03)
- RE: [EXTERNAL] Re: RTBH no_export Nikos Leontsinis (Feb 04)
- Re: [EXTERNAL] Re: RTBH no_export i3D . net - Martijn Schmidt (Feb 04)
- Re: [EXTERNAL] Re: RTBH no_export Vincent Bernat (Feb 04)
- RE: [EXTERNAL] Re: RTBH no_export Nikos Leontsinis (Feb 04)
- Re: RTBH no_export Paul S. (Feb 03)
- Message not available
- Re: [EXTERNAL] Re: RTBH no_export John Kristoff (Feb 04)