Blackhole Routes
Eric Germann
ekgermann at cctec.com
Thu Sep 30 14:35:36 UTC 2004
We use a variation of this for several things. At the risk of getting in to
political policy discussions ...
We have a PERL script which looks for the wildcard .com record. If it finds
it (the old Verisign SiteFinder), it injects a blackhole route to kill it.
Also, we periodically pull in (every 4 hours), allocations from various
registries like ARIN, APNIC, LACNIC, etc. and filter by country. It isn't
elegant, but it does give us the ability to deny traffic to areas our
policies dictate. Pretty effective for getting rid of spam and the offshore
phishing sites. If you want to argue the political or policy side of doing
this, I really don't have time, but our clients have been happy with it for
two plus years.
What I would to see (and have never researched in depth) is a way to apply
the blackhole routes on a community to port basis (i.e. we set up a specific
BGP community to filter mail, and that community goes to a route map that
kills only port 25, another community applies to a map that kills port 80,
etc). When I have spare time, I may see if there is any way to do that. Of
course by then, IPv6 will be obsolete, so .....
Eric
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Abhishek Verma
Sent: Thursday, September 30, 2004 2:52 AM
To: nanog at merit.edu
Subject: Blackhole Routes
Hi,
There are ways to add static routes that can be blackholed. I can understand
the utility of such routes if those are installed in my forwarding table.
What bewilders me is why would anyone want to advertise "blackhole" routes
using say, BGP?
Is it only to prevent some sort of DoS attacks or are there other uses also
of advertising black hole routes?
Thanks,
Abhishek
--
Class of 2004
Institute of Technology, BHU
Varanasi, India
More information about the NANOG
mailing list