Blackhole Routes

Ian Dickinson ian.dickinson at pipex.net
Sat Oct 2 22:06:31 UTC 2004


Richard A Steenbergen wrote:
> I'd have to disagree with you. While you and many other networks may be 
> able to handle most DoS attacks without involving your upstreams, there 
> are still plenty (the majority I would say) of networks who can't. In 
> fact, the entire CONCEPT of a blackhole customer community is to move the 
> filtering up one level higher on the Internet, where it should 
> theoretically be easier for the larger network to filter. It would be 
> silly to assume that there is no attack which the person implementing the 
> blackhole community can not handle, or to assume that there will never be 
> tier 2/3 ISPs aggregating or reselling bandwidth.
> 
> Also, since the point of a blackhole community is to block all traffic to 
> a destination prefix anyways, it doesn't matter whether the blackhole 
> takes place 1 network upstream or 10. Any prefix which can be announced 
> and routed on the global routing table should be able to be blackholed by 
> every network on the global Internet, using a standard well-known 
> community. This changes nothing of the current practices of accountability 
> for your announcements, filtering by prefix length, etc. There would still 
> remain a clear role for no-export and more specifics upto /32 between 
> networks who have negotiated this relationship, but there absolutely no 
> reason you couldn't and shouldn't have global blackholes available as 
> well.

You'd need an additional community to flag this eg. 65001:666 means to
blackhole, 65001:6666 means to propagate it as well.  I can't speak for
others but when we blackhole the destination (as opposed to blackholing 
the source or mitigating) we often only do it in the direction from
which the attack is coming*.  Why drop globally when you can drop
traffic from a subset of the Internet?  Your victim will thank you
if 90% of their customer base can reach them, versus none.  Similarly,
if they're multi-homed, they may well rely on you NOT propagating.
Maybe this looks different from the perspective of a global Tier-1.

* We often find that even with the larger attacks, the vast majority of
the traffic comes in from a particular vector (or group of vectors).
Rarely does traffic enter via peerings equally.
-- 
Ian Dickinson
Development Engineer
PIPEX
ian.dickinson at pipex.net
http://www.pipex.net

This e-mail is subject to: http://www.pipex.net/disclaimer.html



More information about the NANOG mailing list