Proposal for mitigating DoS attacks

Leo Bicknell bicknell at
Sat Jul 10 18:27:28 UTC 1999

On Sat, Jul 10, 1999 at 12:34:59PM -0500, Jon Green wrote:
> If I were an ISP, I think I'd have issues with allowing third parties to
> blackhole traffic in my own network.  I don't think this does anything
> to fix the political issues of inter-provider cooperation..  it just
> provides an easier technical solution.

	I'm not sure the issue is with a third party being able to 
block traffic, but rather with who controls that ability.  Blocking
has been around in many forms, eg the RBL/MAPS, ORBS and other services.
Technical differences of the problem aside, at least a subset of the
Internet is willing to "give up control" to another organization in
order to realize a greater benefit.

	Having said that, part of the reason these people succeed is
that there is a single, well known point of control.  If an address
is on the RBL it is fairly easy to go to one point and look it up,
and you know who to contact to get it removed.

	Back to Alex's proposal.  The problem here is that if a route is
blocked, the best method you have to track it back is the AS path.  Now,
while you may have good relationships with your peers and be able to get
information out of them, you probably do not have good relationships
with ISP's 4-5 AS's down in the food chain.  It would not be obvious
where to look, or who to call to answer the question "why is this
network on the list?"  It would also not be obvious who to call to get
the "victim" network removed if it were placed there in error.  In
essence, this returns us to the situation we have today with poor

	I have to wonder if a centralized database for this sort of
thing could work.  Like the RBL BGP feed, there would be a "Bad
IP Things" feed (the BIT Bucket Feed? :-).  It would come from a single
ASN, and anyone who wants to participate would peer with that AS.  In
order to make it real time, member networks would go through some
"approval" process that would allow them to add entries to this via a
web or e-mail based system in "real time".  Every entry would be logged
with when it was entered, who entered it, and so forth in a single place
that is easy to query.

	Having this centralized database might also lead to other
interesting results, like scanning for patterns (repeat offenders,
attacks from different IP's that always happen at the same time) that
would help shut down the real offenders.

	It's an interesting idea, all in all.  I give it a one in
five chance of going somewhere, which by Internet standards is pretty
good! :-)

Leo Bicknell - bicknell at
Systems Engineer - Internetworking Engineer - CCIE 3440
Read TMBG List - tmbg-list-request at,

More information about the NANOG mailing list