Global Blackhole Service

Fri Feb 13 17:31:16 UTC 2009

Steven M. Bellovin wrote:
> In other words, a legitimate prefix hijacking service...
> 

Absolutely, NOT. The origin AS will still be the AS that controls the IP 
space. In fact, I think SBGP would be great for a layout like this to 
secure down the injections. That being said, prefix lists with md5 auth 
are probably the best we can hope for. Routing registry macro support or 
a hashed authorization link sent to whois contacts to automate 
modification of the prefix lists would be ideal (not much different that 
a provider is *supposed* to do with their BGP customers). Once the peers 
is established and limited in scope, they can then start advertising /32 
networks into the blockhole server who will pass it on to others.

> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique.  You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it.  Those two points are *hard*.  I also note that the
> scheme as described here is incompatible with more or less any possible
> secured BGP, since by definition it involves an AS that doesn't own a
> prefix advertising a route to it.

I would presume that md5 BGP peering with prefix lists developed based 
on public information (whois/routing registry) is about as good as any 
of us have it now. Granted, there are places that don't do that, and 
that is where we see route hijacking. A service like this would have to 
mandate it, to insure any /32 injected into it came from the peer that 
is authorized for the network the /32 belongs to. Since the AS_PATH can 
be maintained, I don't see an issue with secure BGP. Granted, the 
packets themselves won't be taking any path.

Jack Bates