Re: Global Blackhole Service

[Jens Ott - PlusServer AG <j.ott () plusserver de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Skywing schrieb:
> Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real 
> traction in the field.  There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone 
> can peer with it.


You are right, and that's also what I am currently thinking about. Well, one
solution might be, that all participants blackhole-routers IPs are also
announced with some special community and all participants drop all traffic
but bgp traffic from IPs listed with that community to the blackhole RR
destination(s) everywhere in there network.

BR
Jens

> - S
>
> -----Original Message-----
> From: Nuno Vieira - nfsi telecom <nuno.vieira () nfsi pt>
> Sent: Friday, February 13, 2009 07:13
> To: Jens Ott - PlusServer AG <j.ott () plusserver de>
> Cc: nanog <nanog () nanog org>
> Subject: Re: Global Blackhole Service
>
>
> Hi Jens,
>
> I think we are in the same boat.
>
> We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be 
> almost near zero.
>
> This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, 
> BGP Blackhole.
>
> This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation.
>
> Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the 
> blackhole bgp feed...   say that 100+ other ops around the world use a cenário like this... this might be very useful.
> concers: the "autohority" or the "responsible" for maintaining this project, must assure that OP A or OP B can *only* 
> annouce chunks that below to him, avoiding any case of hijack.
>
> We would be interested in participating in something like this.
>
> So,
>
> > My questions to all of you:
> >
> > - - What do you think about such service?
>
> It will be great. We are available to help.
>
> > - - Would you/your ASN participate in such a service?
>
> Yes.
>
> > - - Do you see some kind of usefull feature in such a service?
>
> Yes, a few thoughts above, some more might come up.
>
> > - - Do you have any comments?
>
> For starters, a few above.
>
> Regards,
> ---
> Nuno Vieira
> nfsi telecom, lda.
>
> nuno.vieira () nfsi pt
> Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
> http://www.nfsi.pt/
>
>
>
> ----- "Jens Ott - PlusServer AG" <j.ott () plusserver de> wrote:
>
> Hi,
>
> in the last 24 hours we received two denial of service attacks with
> something
> like 6-8GBit volume. It did not harm us too much, but e.g. one of our
> upstreams got his Amsix-Port exploded.
>
> With our upstreams we have remote-blackhole sessions running where we
> announce
> /32 prefixes to blackhole at their edge, but this does not work with
> our
> peers. Also our Decix-Port received something like 2Gbit extra-traffic
> during
> this DoS.
>
> I can imagine, that for some peers, especially for the once having
> only a thin
> fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with
> a DoS
> and that they might be interested in dropping such traffic at their
> edge.
>
> Well I could discuss with my peers (at least the once who might get in
> trouble
> with such issue) to do some individual config for some
> blackhole-announcement,
> but most probably I'm not the only one receiving DoS and who would be
> interested in such setup.
>
> Therefore I had the following idea: Why not taking one of my old
> routers and
> set it up as blackhole-service. Then everyone who is interested could
> set up a
> session to there and
>
> 1.) announce /32 (/128) routes out of his prefixes to blackhole them
> 2.) receive all the /32 (/128) announcements from the other peers with
> the IPs
> they want to have blackholed and rollout the blackhole to their
> network.
>
> My questions to all of you:
>
> - What do you think about such service?
> - Would you/your ASN participate in such a service?
> - Do you see some kind of usefull feature in such a service?
> - Do you have any comments?
>
> Thank you for telling me your opinions and best regards

- --
===================================================================

Jens Ott
Leiter Network Management

Tel: +49 22 33 - 612 - 3501
Fax: +49 22 33 - 612 - 53501

E-Mail: j.ott () plusserver de
GPG-Fingerprint: 808A EADF C476 FABE 2366  8402 31FD 328C C2CA 7D7A

PlusServer AG
Daimlerstraße 9-11
50354 Hürth

Germany

HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823
Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger

===================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVqvwACgkQMf0yjMLKfXp1OgCfcvTgueonvW4z0dOash9KWUb0
pjMAniZprPAM14H477EHy4I0Ccd9nqy4
=EH0/
-----END PGP SIGNATURE-----