Global Blackhole Service
Steven M. Bellovin
smb at cs.columbia.edu
Fri Feb 13 17:15:53 UTC 2009
On Fri, 13 Feb 2009 16:41:41 +0000 (WET)
Nuno Vieira - nfsi telecom <nuno.vieira at nfsi.pt> wrote:
> Ok, however, what i am talking about is a competelly diferent thing,
> and i think that my thoughts are alligned with Jens.
> We want to have a Sink-BGP-BL, based on Destination.
> Imagine, i as an ISP, host a particular server that is getting nn
> Gbps of DDoS attack. I null route it, and start advertising a /32 to
> my upstream providers with a community attached, for them to null
> route it at their network. However, the attacks continue going, on
> and on, often flooding internet exchange connections and so.
> A solution like this, widelly used, would prevent packets to leave
> their home network, mitigating with effective any kind of DDoS (or
> packet flooding).
> Obviously, we need a few people to build this (A Website, an
> organization), where when a new ISP connects is added to the system,
> a prefix list should be implemented, preventing that ISP to announce
> IP addresses that DON'T belong to him.
> The Sink-BGP-BL sends a full feed of what it gots to Member ISP's,
> and those member ISP's, should apply route-maps or whatever they
> want, but, in the end they want to discard the traffic to those
> prefixes (ex: Null0 or /dev/null).
> This is a matter or getting enough people to kick this off, to build
> a website, to establish one or two route-servers and to give use to.
> Once again, i am interested on this, if others are aswell, let know.
> This should be a community-driven project.
In other words, a legitimate prefix hijacking service...
As Randy and Valdis have pointed out, if this isn't done very carefully
it's an open invitation to a new, very effective DoS technique. You
can't do this without authoritative knowledge of exactly who owns any
prefix; you also have to be able to authenticate the request to
blackhole it. Those two points are *hard*. I also note that the
scheme as described here is incompatible with more or less any possible
secured BGP, since by definition it involves an AS that doesn't own a
prefix advertising a route to it.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG