Can DDoS be stopped with BGP? [duplicate]

When I am experiencing DDoS @10Gbps, if I have BGP router with 10M table entries in it, can I perform search on the offensive network?

I would do this the way, that first I would remove routing to me for first /8 and see if DDoS will stop. And then search this way the source of the DDoS on the complete 32bit address space.

I am not familiar with BGP a lot, not sure how long it propagates and how long such search would take and what would be impact. Also not sure if I can actually prevent some network stop routing to me by their ip numbers I download from RIPE and Arin.

This is particularly for dealing with spoofed attacks, as normal ones can be traced more effectively.

Or how much bandwidth do I need and no of locations to sustain any kind of DDoS in Europe? I can re-route traffic with Route 53 latency based DNS. Recent disclosed strike I read about was around 13Gbps, would 20Gbps be enough?


BGP is a routing protocol. It can't be used to detect the attacking IP addresses.

On a router/network, the most efficient way to drop packets from attackers is to null-route the target IP as close as possible to the attacking networks. This means that your service will be unreachable for those networks.

This can be done with BGP through your transit providers, with a mecanism called RTBH, or Remotely-Triggered Black Hole routing.

There is an interesting post about RTBH here.

If you have only one router, null-routing the IPs will be done at the outside edge of your perimeter (firewall/router), hence completely removing your attacked services from the Internet, but also saturating your pipe.

If you want to know what IP addresses are used in the attacks, Netflow/IPFix would be the protocols to use.


No, that won't work.

Your routing table controls how you reach everyone else. Everyone else's routing tables control how they reach you.

You can't remove other people's routing entries to you with specificity. The way other networks pass on routes to you is based on their routing policies, not yours. All you can do is stop advertising routes, and that will cause everyone to lose that route to you.