Global Blackhole Service

Fri Feb 13 18:03:38 UTC 2009

FYI - I think Paul knows exactly what you are talking about.

Hint - review the seminar:

http://www.nanog.org/meetings/nanog36/abstracts.php?pt=Mzk5Jm5hbm9nMzY=&nm=n
anog36

> -----Original Message-----
> From: Jack Bates [mailto:jbates at brightok.net] 
> Sent: Friday, February 13, 2009 9:23 AM
> To: Paul Vixie
> Cc: nanog at merit.edu
> Subject: Re: Global Blackhole Service
> 
> Paul Vixie wrote:
> > i think Spamhaus and Cymru are way ahead of you in 
> implementing such a 
> > thing, and it's likely that there are even commercial 
> alternatives to 
> > Trend Micro although i have not kept up on those details.
> 
> I think there's a misunderstanding from what I've read about 
> what is being blackholed. We are not talking about 
> blackholing the senders, but a massive scale method of 
> blackholing the victims at the victim's request to protect 
> infrastructure. Currently this type of service usually 
> doesn't extend beyond one or two ASs and depending on traffic 
> flows can still cause damage, especially through exchange points.
> 
> With enough support and use, this would allow a larger 
> portion of bad traffic to be null routed closer to the sender 
> origination points. Since the null routing BGP servers would 
> expect a larger routing table from these /32 networks, they 
> would be placed at key points capable of handling the larger 
> tables; compared to just allowing the /32's out into the wild 
> and possibly exceeding route/memory constraints.
> 
> It can also be used as authoritative information that an IP 
> is undergoing a DOS attack, and large volumes of connections 
> to that IP should be considered suspect. I consider this a 
> much more useful method of detecting DOS traffic leaving your 
> infected users than the emails which are usually sent out by 
> those being hit by DOS.
> 
> 
> Jack
> 
> 
> 