[External] announcing IPs by scrubbing service to help with DDoS attacks and ROAs

Sat Nov 18 01:34:01 UTC 2023

Tom, thanks. I'm an academic researcher, no a network operator, sorry for
the confusion, I should have been clearer.

The practice you described indeed shouldn't requite ROA. I didn't even
consider it, probably since I've been working so much on prefix hijacks,
and this prefix would result in increased vulnerability to prefix hijacks.
But if there's only a DDoS attack on the prefix and it's not being hijacked
at the same time, then I think this practice may be fine - which would make
such `emergency ROA' unnecessary.
So that's very very useful feedback, thanks a lot!! Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/cybersecurity

On Fri, Nov 17, 2023 at 12:09 AM Tom Krenn <Tom.Krenn at hennepin.us> wrote:

> It has been a few years, but I recall advertising my routes to the
> scrubbing center via a tunnel and just prepending to my other peers when in
> mitigation. This was pre-RPKI days, but my ASN was still originating the
> route. So, I would assume no change in ROA would be needed in that
> scenario. Are you allowing them to originate your routes or are they just
> another hop in your as-path?
>
>
>
> Tom Krenn
>
> Network Architect
>
> Enterprise Architecture - Information Technology
>
> [image: Hennepin County logo]
>
>
>
>
>
> *From:* NANOG <nanog-bounces+tom.krenn=hennepin.us at nanog.org> *On Behalf
> Of *Amir Herzberg
> *Sent:* Thursday, November 16, 2023 19:58
> *To:* NANOG <nanog at nanog.org>
> *Subject:* [External] announcing IPs by scrubbing service to help with
> DDoS attacks and ROAs
>
>
>
> *CAUTION:* This email was sent from outside of Hennepin County. Unless
> you recognize the sender and know the content, do not click links or open
> attachments.
>
> Hi, do people use scrubbing services, when under DDoS attack, by having
> the scrubbing service announce the attacked IP prefix(es)?
>
>
>
> If so, and you have a ROA for these prefixes, do you authorize the
> scrubbing AS (by issuing ROA or otherwise), and if so, do you do it in
> advance or only when you need the scrubbing service to announce your
> prefix?
>
>
>
> To clarify: we have a possible method to allow such `emergency ROAs' but
> I'm not convinced if we have a solution to a real problem - or if we just
> found a cute crypto solution and will end up writing it for a non-real
> problem. I prefer not to waste our time on presenting cute solutions to
> non-real problems :)
>
>
>
> So thanks for your help! Use your judgement if to respond on list or off
> list.
>
>
>
> Many thanks, Amir
>
> --
>
> Amir Herzberg
>
>
>
> Comcast professor of Security Innovations, Computer Science and
> Engineering, University of Connecticut
>
> Homepage: https://sites.google.com/site/amirherzberg/home
>
> `Applied Introduction to Cryptography' textbook and lectures:
> https://sites.google.com/site/amirherzberg/cybersecurity
>
>
>
>
>
>
> *Disclaimer:* If you are not the intended recipient of this message,
> please immediately notify the sender of the transmission error and then
> promptly permanently delete this message from your computer system.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231117/3ba67567/attachment.html>