Global Blackhole Service

Nuno Vieira - nfsi telecom nuno.vieira at nfsi.pt
Fri Feb 13 10:41:41 CST 2009


Ok, however, what i am talking about is a competelly diferent thing, and i think that my thoughts are alligned with Jens.

We want to have a Sink-BGP-BL, based on Destination.

Imagine, i as an ISP, host a particular server that is getting nn Gbps of DDoS attack.  I null route it, and start advertising a /32 to my upstream providers with a community attached, for them to null route it at their network.
However, the attacks continue going, on and on, often flooding internet exchange connections and so.

A solution like this, widelly used, would prevent packets to leave their home network, mitigating with effective any kind of DDoS (or packet flooding).

Obviously, we need a few people to build this (A Website, an organization), where when a new ISP connects is added to the system, a prefix list should be implemented, preventing that ISP to announce IP addresses that DON'T belong to him.

The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, and those member ISP's, should apply route-maps or whatever they want, but, in the end they want to discard the traffic to those prefixes (ex: Null0 or /dev/null).

This is a matter or getting enough people to kick this off, to build a website, to establish one or two route-servers and to give use to.

Once again, i am interested on this, if others are aswell, let know.  This should be a community-driven project.

regards,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vieira at nfsi.pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



----- "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu> wrote:

> How do you vet proposed new entries to make sure that some miscreant
> doesn't
> DoS a legitimate site by claiming it is in need of black-holing?  Note
> that
> it's a different problem space than a bogon BGP feed or a spam-source
> BGP
> feed - if the Cymru guys take another 6 hours to do a proper paperwork
> and
> background check to verify a bogon, or if Paul and company take
> another day
> to verify something really *is* a cesspit of spam sources, it doesn't
> break the
> basic concept or usability of the feed.
> 
> You usually don't *have* a similar luxury if you're trying to deal
> with a
> DDoS, because those are essentially a real-time issue.
> 
> Oh, and cleaning up an entry in a timely fashion is also important,
> otherwise
> an attacker can launch a DDoS, get the target into the feed, and walk
> away...




More information about the NANOG mailing list