nanog mailing list archives
Re: Global Blackhole Service
From: Tico <tico-nanog () raapid net>
Date: Fri, 13 Feb 2009 11:29:06 -0600
Jens,I would be interested in participating with a destination blackhole service, so long as peers were authenticated and only authorized to advertise /32s out of space that they are assigned -- hopefully the same OrgID is used for the ASN as the IP allocations.
However, a blackhole service based on sources would be out of the question altogether in my book, unless paired with a number of third parties that could vet the "badness" of those source IPs, as is done with spam zombies. Even then I'd be very nervous about it from a "causes more [potential] problems than it fixes" standpoint, no matter how cool it would be to defang a DDoS.
As for the memory requirements / "oh no! too many routes!" issue, that would be a non-issue for me.
Feel free to contact me off-list if you're serious about starting this project. I think that it would be worth it to talk to the Team Cymru guys to see if they'd be interested in this.
-Tico Jens Ott - PlusServer AG wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded. With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS. I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge. Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup. Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. My questions to all of you: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Thank you for telling me your opinions and best regards - -- =================================================================== Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j.ott () plusserver de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger =================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVilwACgkQMf0yjMLKfXpNuQCeKcicthIadISe7I+Xs5ZNHS+1 0qUAnRDkOY9/6kokq3Hf68BRQFfkP3xy =jKUA -----END PGP SIGNATURE-----
Current thread:
- Re: Global Blackhole Service, (continued)
- Re: Global Blackhole Service Michael Thomas (Feb 15)
- Re: Global Blackhole Service Marshall Eubanks (Feb 15)
- cogent issues John Martinez (Feb 15)
- Re: cogent issues Michal Krsek (Feb 16)
- Re: cogent issues neal rauhauser (Feb 16)
- Re: cogent issues Marshall Eubanks (Feb 16)
- Re: cogent issues Ran Liebermann (Feb 16)
- Re: Global Blackhole Service Matthew Moyle-Croft (Feb 14)
- Re: Global Blackhole Service Randy Bush (Feb 13)
- RE: Global Blackhole Service Barry Raveendran Greene (Feb 13)
- Re: Global Blackhole Service Suresh Ramasubramanian (Feb 13)
- Re: Global Blackhole Service Paul Vixie (Feb 13)
- Re: Global Blackhole Service Jack Bates (Feb 13)
- Re: Global Blackhole Service Paul Vixie (Feb 13)
- Re: Global Blackhole Service Chris Jester (Feb 13)
- Re: Global Blackhole Service Jack Bates (Feb 13)