Hey,
On 18 April 2018 at 14:03, Ryan Hamel <[email protected]> wrote: >> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp >> are sent (policed) to infrastructure addresses > > While I can implement an edge filter to drop such traffic, it's impacting our > clients traffic as well. I don't understand why that would be true, your customers shouldn't be using links for anything useful. But again, in your case the attack is coming from far-end, so they need to do this, to benefit you. >> b) do not advertise link networks in iBGP > This has never been an issue. If is now. If the links is far-end assigned, and if far-end does not advertise it, then attack has to come from same far-end router as where you're connected, greatly reducing attack surface. >> c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255 > > Could you explain how this can resolve my issue? I am not sure how this > would work. If your link isn't protected, then attacking just your BGP session allows to bring down the BGP with very modest Mbps, like <5Mbps. If you do GTSM and drop <255 TTL BGP, then typically attacker can't bring down the BGP session, or at very least they need to congest whole linerate. -- ++ytti
