4

When I am experiencing DDoS @10Gbps, if I have BGP router with 10M table entries in it, can I perform search on the offensive network?

I would do this the way, that first I would remove routing to me for first /8 and see if DDoS will stop. And then search this way the source of the DDoS on the complete 32bit address space.

I am not familiar with BGP a lot, not sure how long it propagates and how long such search would take and what would be impact. Also not sure if I can actually prevent some network stop routing to me by their ip numbers I download from RIPE and Arin.

This is particularly for dealing with spoofed attacks, as normal ones can be traced more effectively.

Or how much bandwidth do I need and no of locations to sustain any kind of DDoS in Europe? I can re-route traffic with Route 53 latency based DNS. Recent disclosed strike I read about was around 13Gbps, would 20Gbps be enough?

Andrew Smith
  • 1,123
  • 13
  • 23
  • 1
    The every nature of DDoS, which is normally performed via compromised machines, makes this kind of effort futile. In nearly all cases the source machines will have dynamically assigned IP addresses. If you block an address and they acquire a new one you've achieved nothing except the possibility that you're now blocking an innocent party. – John Gardeniers Aug 14 '12 at 02:32

2 Answers2

6

BGP is a routing protocol. It can't be used to detect the attacking IP addresses.

On a router/network, the most efficient way to drop packets from attackers is to null-route the target IP as close as possible to the attacking networks. This means that your service will be unreachable for those networks.

This can be done with BGP through your transit providers, with a mecanism called RTBH, or Remotely-Triggered Black Hole routing.

There is an interesting post about RTBH here.

If you have only one router, null-routing the IPs will be done at the outside edge of your perimeter (firewall/router), hence completely removing your attacked services from the Internet, but also saturating your pipe.

If you want to know what IP addresses are used in the attacks, Netflow/IPFix would be the protocols to use.

EEAA
  • 108,414
  • 18
  • 172
  • 242
petrus
  • 5,287
  • 25
  • 42
3

No, that won't work.

Your routing table controls how you reach everyone else. Everyone else's routing tables control how they reach you.

You can't remove other people's routing entries to you with specificity. The way other networks pass on routes to you is based on their routing policies, not yours. All you can do is stop advertising routes, and that will cause everyone to lose that route to you.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • But I advertise a route to my subnet via different tier-1 providers, so I can null route some subnets upon my request, as I want to reject traffic. – Andrew Smith Aug 14 '12 at 20:24
  • That won't do much except perhaps allow you to figure out which link(s) you were receiving the DDoS packets on. (Assuming you don't happen to run a tier 1 ISP: If you don't send a route out to at least one provider you are a customer of, many people will be unable to reach you. If you do, everyone will be able to reach you. You'll just change the route they take.) – David Schwartz Aug 14 '12 at 22:02