Blackholes and IXs and Completing the Attack.

Ben Butler ben.butler at c2internet.net
Thu Jan 31 00:07:15 UTC 2008


Hi,

I have been working away on remote trigger blackholing and community
based client initiated blackholing into transit ASes.  It got me
thinking that while this works great with a handful of upstream transit
peers it does not really scale very well at an Internet Exchange with a
high overhead configuring things for many peers.  Plus if your IX
connection is saturated that means legitimate traffic must be getting
degraded - even if your router is coping and blackholing the
interconnect is still flat lined.

The only ways into an AS are via transit, public IX or private
interconnects.  If we want to extend the blackholing to secure IXs peers
as well as into transits.

So my idea....

Is to have an IX route reflector configured with ACLs locking it down to
exclusively BGP with the IX peer IP of the member.  The IX route
reflector would be configured to have per peer prefix filters per peer
auto generated from registered AS macro for each peer from the
RIPE,ARIN,APNIC etc databases.  This should mean the router will not
accept announcements for any /32 that is not part of the routes
announced by that AS (it would be even better to tie it down to a match
on origin AS as well). Plus the router will only talk to IX peers - no
global transit.

This hopefully will ensure a relatively protected router that is only
accessible from the edge routers we want and also secured to only accept
filtered announcements for black holing and in consequence enable the
system to be trusted similar to Team Cymaru.

Then all a member AS of the exchange does is announce any /32 from their
IP block that they would like other members to Null route in their AS to
this reflector.

There are people way smarter than me on this list and the above is not
implemented at any of the IXs I am connected to, so why is the above a
dumb idea / what have I missed that makes the above unworkable because
it does seem kind of obvious now I have done some work with this.


Kind Regards

Ben Butler
++++++++++++++++++++++++++++++++++++++++++
C2 Internet Ltd
Globe House, The Gullet, Nantwich, Cheshire, CW5 5RL

E  mailto:ben.butler at c2internet.net
W  http://www.c2internet.net/
B1 http://c2internet.blogspot.com/
B2 http://c2noc.blogspot.com/
T  +44-(0)845-658-0020
F  +44-(0)845-658-0070

All quotes & services from C2 are bound by our standard
terms and conditions which are available on our website at:

http://www.c2internet.net/legal/main.htm#tandc

C2 Internet Limited is a company registered in England and
Wales with company number 03910154

Our VAT Registration number is GB 752 7650 17



More information about the NANOG mailing list