Please note that automatic black-holing without user confirmation is
probably a bad idea. You should implement your own script, tailored to your
network and do as many checks as possible (e.g. not allow more than a
number of prefixes to be black-holed at one time, adding exceptions for
specific hosts (e.g. peering IPs, management IPs on your routers, etc),
investing a lot of time in validation of flood detection rules (you
wouldn't want a network scanner to black-hole an entire network), and also
you should have a process for automatic removal of offending IP from the
blackhole after a while).
I have developed such a system for our network (detection as a back-end
plugin in nfsen, web interface for operators and custom scripts for the
actual black-holing), but the mitigation process requires human
confirmation.
On Tue, Oct 1, 2013 at 5:26 PM, Italo Valcy <it...@dcc.ufba.br> wrote:
> **
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Aaron,
>
> I think that you have many options to do that, either manually
> (through Expect for example, where you access your routers and
> install/configure the blackholes) or in a more elegant/efficient way,
> through Flow Specification:
>
> http://tools.ietf.org/html/rfc5575
>
> See if your router does support this great feature.
>
>
> Kind Regards, Italo.
>
> - --
> Federal University of Bahia/Brazil
> PoP-BA/RNP :: http://www.pop-ba.rnp.br
> INOC: 53164*100
> Tel.: +55 71 3283-569
>
>
>
> Em 01-10-2013 10:50, Aaron escreveu:
> >
> > Hello all,
> >
> >
> >
> > We like our nfsen machine. We are currently seeing nfsen alerts in
> > emails from thresholds we?ve set to detect (d)dos attack in our
>
> > network. Is it possible to take the ip address under attack and
> > then have the nfsen linux machine advertise a route into my network
> > that is received by my internet boundary routers in order to
> > blackhole (null route) that ddos traffic so it does not flow through
> > my network ?
> >
> >
> >
> >
>
>
> - --
> Atenciosamente,
>
> Italo Valcy :: http://wiki.dcc.ufba.br/Main/ItaloValcy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlJK230ACgkQfidLqjN6RNHUJwCfV/OjiDWpPC9Jil7aWwYnRa8H
> Cf8AoJy6Xz0qsUBt3YhieYBScQdWnjvW
> =u3+V
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
