Can DDoS be stopped with BGP? [duplicate]

ddos bgp

When I am experiencing DDoS @10Gbps, if I have BGP router with 10M table entries in it, can I perform search on the offensive network?

I would do this the way, that first I would remove routing to me for first /8 and see if DDoS will stop. And then search this way the source of the DDoS on the complete 32bit address space.

I am not familiar with BGP a lot, not sure how long it propagates and how long such search would take and what would be impact. Also not sure if I can actually prevent some network stop routing to me by their ip numbers I download from RIPE and Arin.

This is particularly for dealing with spoofed attacks, as normal ones can be traced more effectively.

Or how much bandwidth do I need and no of locations to sustain any kind of DDoS in Europe? I can re-route traffic with Route 53 latency based DNS. Recent disclosed strike I read about was around 13Gbps, would 20Gbps be enough?


BGP is a routing protocol. It can't be used to detect the attacking IP addresses.

On a router/network, the most efficient way to drop packets from attackers is to null-route the target IP as close as possible to the attacking networks. This means that your service will be unreachable for those networks.

This can be done with BGP through your transit providers, with a mecanism called RTBH, or Remotely-Triggered Black Hole routing.

There is an interesting post about RTBH here.

If you have only one router, null-routing the IPs will be done at the outside edge of your perimeter (firewall/router), hence completely removing your attacked services from the Internet, but also saturating your pipe.

If you want to know what IP addresses are used in the attacks, Netflow/IPFix would be the protocols to use.


No, that won't work.

Your routing table controls how you reach everyone else. Everyone else's routing tables control how they reach you.

You can't remove other people's routing entries to you with specificity. The way other networks pass on routes to you is based on their routing policies, not yours. All you can do is stop advertising routes, and that will cause everyone to lose that route to you.

Related

Who is 1014? I have no user on my system named 1014, so why is this httpd process run as 1014?
Store system passwords with easy and secure access
How to secure memcached?
Fail to mount image files in windows server 2012
Ram recommendations vs SQL DB size
Server freeze - how to debug
HTTP/1.1 Status Codes 400 and 417, cannot choose which
Flash Backed Write Cache (FBWC) without capacitor pack
Install xdebug for php 5.3.17 on centos 6.3 (final)
TCP connection stuck in SYN_RECV state despite ACK received, Linux 2.6.18, embedded, ARM
Is this IPv4 and subnet combination public or private? [duplicate]
If a managed network switch were to overheat, would you consider it no longer reliable?