Global Blackhole Service
jbates at brightok.net
Fri Feb 13 17:22:30 UTC 2009
Paul Vixie wrote:
> i think Spamhaus and Cymru are way ahead of you in implementing such a thing,
> and it's likely that there are even commercial alternatives to Trend Micro
> although i have not kept up on those details.
I think there's a misunderstanding from what I've read about what is
being blackholed. We are not talking about blackholing the senders, but
a massive scale method of blackholing the victims at the victim's
request to protect infrastructure. Currently this type of service
usually doesn't extend beyond one or two ASs and depending on traffic
flows can still cause damage, especially through exchange points.
With enough support and use, this would allow a larger portion of bad
traffic to be null routed closer to the sender origination points. Since
the null routing BGP servers would expect a larger routing table from
these /32 networks, they would be placed at key points capable of
handling the larger tables; compared to just allowing the /32's out into
the wild and possibly exceeding route/memory constraints.
It can also be used as authoritative information that an IP is
undergoing a DOS attack, and large volumes of connections to that IP
should be considered suspect. I consider this a much more useful method
of detecting DOS traffic leaving your infected users than the emails
which are usually sent out by those being hit by DOS.
More information about the NANOG