Global Blackhole Service

Jack Bates jbates at brightok.net
Fri Feb 13 16:41:12 UTC 2009


Valdis.Kletnieks at vt.edu wrote:
> How do you vet proposed new entries to make sure that some miscreant doesn't
> DoS a legitimate site by claiming it is in need of black-holing?  Note that
> it's a different problem space than a bogon BGP feed or a spam-source BGP
> feed - if the Cymru guys take another 6 hours to do a proper paperwork and
> background check to verify a bogon, or if Paul and company take another day
> to verify something really *is* a cesspit of spam sources, it doesn't break the
> basic concept or usability of the feed.
> 
Presumably, the route server would have to have the same guidelines as 
issued by service providers. ie, /32 networks injected should come from 
authenticated feeds and fall within the netblock range owned by the 
injector. So one extra set of ACL's for each injector to upkeep. I 
believe what is being suggested is just one step beyond what many 
providers give to BGP customers to extend blackholes out.

> Oh, and cleaning up an entry in a timely fashion is also important, otherwise
> an attacker can launch a DDoS, get the target into the feed, and walk away...

This also would be decided by the injecting provider. More of a "Hey, 
one of my IPs is being DDOS'd, please drop traffic to it to protect the 
rest of my network." The downside to widespread use, is that it makes 
tracking the problem on the other side of the blocks near impossible. In 
all cases, once a blackhole is initiated anywhere, the DDOS has been 
successful. We use automatic community changes to accept /32 blackholes 
from customers, verify them, then send them on to peers that also 
support /32 blackholes with appropriate communities.


Jack


Jack




More information about the NANOG mailing list