Global Blackhole Service

Jack Bates jbates at brightok.net
Fri Feb 13 11:22:30 CST 2009


Paul Vixie wrote:
> i think Spamhaus and Cymru are way ahead of you in implementing such a thing,
> and it's likely that there are even commercial alternatives to Trend Micro
> although i have not kept up on those details.

I think there's a misunderstanding from what I've read about what is 
being blackholed. We are not talking about blackholing the senders, but 
a massive scale method of blackholing the victims at the victim's 
request to protect infrastructure. Currently this type of service 
usually doesn't extend beyond one or two ASs and depending on traffic 
flows can still cause damage, especially through exchange points.

With enough support and use, this would allow a larger portion of bad 
traffic to be null routed closer to the sender origination points. Since 
the null routing BGP servers would expect a larger routing table from 
these /32 networks, they would be placed at key points capable of 
handling the larger tables; compared to just allowing the /32's out into 
the wild and possibly exceeding route/memory constraints.

It can also be used as authoritative information that an IP is 
undergoing a DOS attack, and large volumes of connections to that IP 
should be considered suspect. I consider this a much more useful method 
of detecting DOS traffic leaving your infected users than the emails 
which are usually sent out by those being hit by DOS.


Jack





More information about the NANOG mailing list