[LINK] Storm Worm Botnet More Powerful Than Top Supercomputers

Wed Sep 12 16:27:06 AEST 2007

Well, if you're talking about an ADSL or similarly-"reliable" service
you definitely don't want to have your route announcement dependant
on the state of your interface. All it'd take is ten minutes of bouncing
up and down for your subnet to be relatively unreachable, thanks to the
power of BGP dampening.

Of course there are ways around it, but I bet the bulk of your ISPs'
clientbase aren't people with PI space on *DSL tails.

I'd just bite it as a cost for having a PI /24 and include calling
your ISP to remove the announcement during downtime part of your
daily operations.

Adrian

On Wed, Sep 12, 2007, Karl Auer wrote:

> > Routing isn't -that- simple. How and when should they choose not to
> > advertise your subnet?
> 
> I have no idea how they advertise our route, but advertise it they must,
> 'cos the packets get to us. It's PI space, not aggregatable with their
> address space as far as I know, though blind chance may have it nestled
> up against a block of their own addresses. The link was not merely
> failing to respond or anything, it was *gone*. As to when, well, while I
> can understand them not wanting to react in too brittle a fashion, I
> think any time after the first half hour would have been about the right
> moment to consider the possibility that the missing link was indeed hors
> de combat.
> 
> I think they almost certainly could have and should have advertised the
> fact upstream. But I'm not going to stick my hand in a fire and swear to
> it. I can think of a dozen ways it wasn't their fault. On the other
> hand, blindly shooting packets out an interface that is not even
> *connected* and then counting them as billable traffic is a bit rich. If
> they hadn't been able to charge us for them, I wonder if they'd then
> have magically been able to stop the flow...?
> 
> For 500Mb who cares? We certainly didn't in the great scheme of things,
> and perhaps had we been in a position where the traffic had been
> meaningfully large, we would also have had more/better infrastructure
> and perhaps better SLAs. Hey, *any* SLAs.