Global Blackhole Service

Fri Feb 13 16:28:57 UTC 2009

On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said:
> Therefore I had the following idea: Why not taking one of my old routers and
> set it up as blackhole-service. Then everyone who is interested could set up a
> session to there and
>
> 1.) announce /32 (/128) routes out of his prefixes to blackhole them
> 2.) receive all the /32 (/128) announcements from the other peers with the IPs
> they want to have blackholed and rollout the blackhole to their network.

How do you vet proposed new entries to make sure that some miscreant doesn't
DoS a legitimate site by claiming it is in need of black-holing?  Note that
it's a different problem space than a bogon BGP feed or a spam-source BGP
feed - if the Cymru guys take another 6 hours to do a proper paperwork and
background check to verify a bogon, or if Paul and company take another day
to verify something really *is* a cesspit of spam sources, it doesn't break the
basic concept or usability of the feed.

You usually don't *have* a similar luxury if you're trying to deal with a
DDoS, because those are essentially a real-time issue.

Oh, and cleaning up an entry in a timely fashion is also important, otherwise
an attacker can launch a DDoS, get the target into the feed, and walk away...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090213/6881e461/attachment.sig>