On 4/6/20 4:50 PM, Frank Bulk wrote:
> One our IPs, 96.31.13.225, was on the receiving end of a volumetric DoS
> attack for about 20 minutes and some of the incoming traffic was going
> over our MICE link.
>
> Do the MICE admins have a way to blackhole our IP, if needed?
No.
I'd love to see us implement something like this:
https://www.seattleix.net/blackholing
Let's see if we can get this done. Here's what I see as steps:
1) Pick IPs and MACs.
Here's a proposal:
IPv4: 206.108.255.0
same idea as SIX
IPv6: 2001:504:27:0:0:FFFF::666
from 65535:666 used in RFC 7999
MAC: 66:66:de:ad:be:ef
same as SIX
2) Jeremy?: Configure MAC ACLs to drop traffic to that MAC on the core
switches.
3) Doug?: Configure the route servers to:
accept /32 (IPv4) and /128 (IPv6)
set next-hop to the blackhole IP (see above)
add no-export community
when:
next-hop == blackhole IP
OR
65535:666 is set
See also the BIRD example on the SIX page.
4) Me: Document this on our website & notify the members it's ready.
Ask, but not require, that remote switches do the same.
--
Richard
