Global Blackhole Service
tico-nanog at raapid.net
Fri Feb 13 11:29:06 CST 2009
I would be interested in participating with a destination blackhole
service, so long as peers were authenticated and only authorized to
advertise /32s out of space that they are assigned -- hopefully the same
OrgID is used for the ASN as the IP allocations.
However, a blackhole service based on sources would be out of the
question altogether in my book, unless paired with a number of third
parties that could vet the "badness" of those source IPs, as is done
with spam zombies. Even then I'd be very nervous about it from a "causes
more [potential] problems than it fixes" standpoint, no matter how cool
it would be to defang a DDoS.
As for the memory requirements / "oh no! too many routes!" issue, that
would be a non-issue for me.
Feel free to contact me off-list if you're serious about starting this
project. I think that it would be worth it to talk to the Team Cymru
guys to see if they'd be interested in this.
Jens Ott - PlusServer AG wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> in the last 24 hours we received two denial of service attacks with something
> like 6-8GBit volume. It did not harm us too much, but e.g. one of our
> upstreams got his Amsix-Port exploded.
> With our upstreams we have remote-blackhole sessions running where we announce
> /32 prefixes to blackhole at their edge, but this does not work with our
> peers. Also our Decix-Port received something like 2Gbit extra-traffic during
> this DoS.
> I can imagine, that for some peers, especially for the once having only a thin
> fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS
> and that they might be interested in dropping such traffic at their edge.
> Well I could discuss with my peers (at least the once who might get in trouble
> with such issue) to do some individual config for some blackhole-announcement,
> but most probably I'm not the only one receiving DoS and who would be
> interested in such setup.
> Therefore I had the following idea: Why not taking one of my old routers and
> set it up as blackhole-service. Then everyone who is interested could set up a
> session to there and
> 1.) announce /32 (/128) routes out of his prefixes to blackhole them
> 2.) receive all the /32 (/128) announcements from the other peers with the IPs
> they want to have blackholed and rollout the blackhole to their network.
> My questions to all of you:
> - - What do you think about such service?
> - - Would you/your ASN participate in such a service?
> - - Do you see some kind of usefull feature in such a service?
> - - Do you have any comments?
> Thank you for telling me your opinions and best regards
> - --
> Jens Ott
> Leiter Network Management
> Tel: +49 22 33 - 612 - 3501
> Fax: +49 22 33 - 612 - 53501
> E-Mail: j.ott at plusserver.de
> GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A
> PlusServer AG
> Daimlerstraße 9-11
> 50354 Hürth
> HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823
> Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe
> Aufsichtsratsvorsitz: Claudius Schmalschläger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the NANOG