nanog mailing list archives
Re: Global Blackhole Service
From: Jack Bates <jbates () brightok net>
Date: Fri, 13 Feb 2009 10:41:12 -0600
Valdis.Kletnieks () vt edu wrote:
Presumably, the route server would have to have the same guidelines as issued by service providers. ie, /32 networks injected should come from authenticated feeds and fall within the netblock range owned by the injector. So one extra set of ACL's for each injector to upkeep. I believe what is being suggested is just one step beyond what many providers give to BGP customers to extend blackholes out.How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed.
Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away...
This also would be decided by the injecting provider. More of a "Hey, one of my IPs is being DDOS'd, please drop traffic to it to protect the rest of my network." The downside to widespread use, is that it makes tracking the problem on the other side of the blocks near impossible. In all cases, once a blackhole is initiated anywhere, the DDOS has been successful. We use automatic community changes to accept /32 blackholes from customers, verify them, then send them on to peers that also support /32 blackholes with appropriate communities.
Jack Jack
Current thread:
- Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
- Re: Global Blackhole Service Suresh Ramasubramanian (Feb 13)
- Re: Global Blackhole Service Randy Bush (Feb 13)
- Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
- Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
- Re: Global Blackhole Service Valdis . Kletnieks (Feb 13)
- Re: Global Blackhole Service Jack Bates (Feb 13)
- Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
- Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
- Re: Global Blackhole Service Steven M. Bellovin (Feb 13)
- Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
- Re: Global Blackhole Service Jack Bates (Feb 13)
- Re: Global Blackhole Service Florian Weimer (Feb 14)
- Re: Global Blackhole Service Patrick W. Gilmore (Feb 14)
- Re: Global Blackhole Service Michael Thomas (Feb 15)
- Re: Global Blackhole Service Marshall Eubanks (Feb 15)
- cogent issues John Martinez (Feb 15)
- Re: Global Blackhole Service Jack Bates (Feb 13)